Solved: Saving sub-search to speed up Searching

tristanmatthews · ‎12-07-2013

Hi,

I have a number of searches structured where I'm comparing again summary indexes and lookup tables or results I don't want. From the docs my searches are formatted like:

index=some_index NOT [search index=another_index | fields field_val]

where the summary index another_index is only updated once a day. These searches are used in my dashboards several times and seem to run very slowly. Is there a way to explicitly save sub search so that it doesn't have to be rerun? Or this done automatically?

somesoni2 · ‎12-07-2013

You can saved the subsearch clause as a saved search and use them in your queries.

Saved Search : `

index=another_index | fields field_val

Updated dashboard searches

index=some_index NOT [|savedsearch savedSearchName]

Also, to improve performance, you can change your subquery from

index=another_index | fields field_val

to

 index=another_index | stats count by field_val | fields - count

View solution in original post

somesoni2 · ‎12-07-2013

You can saved the subsearch clause as a saved search and use them in your queries.

Saved Search : `

index=another_index | fields field_val

Updated dashboard searches

index=some_index NOT [|savedsearch savedSearchName]

Also, to improve performance, you can change your subquery from

index=another_index | fields field_val

to

 index=another_index | stats count by field_val | fields - count

Saving sub-search to speed up Searching

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life