I've base search / post process as follows, but it is taking more time than separate in-line query.
<search id="baseSearch">
<query>
index=testapp OutgoingCall=google | stats count by Result
</query>
<earliest>-1d@h</earliest>
<latest>now</latest>
</search>
<panel>
<single>
<title>Total</title>
<search base="baseSearch">
<query>
stats sum(count)
</query>
</search>
</single>
</panel>
<panel>
<single>
<search base="baseSearch">
<query>
search Result=Success | stats sum(count) AS successCount
</query>
</search>
</single>
</panel>
<panel>
<single>
<title>Failed</title>
<search base="baseSearch">
<query>search Result=Failed | stats sum(count) as failedCount</query>
</search>
</single>
</panel>
I used following doc as reference:
http://docs.splunk.com/Documentation/Splunk/7.0.3/Viz/Savedsearches
Why this is very slow? Am I doing something wrong ?
Note: splunk enterprise ver 6.6.3
... View more