Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to accelerate search in forms?

dishasaxena
Path Finder
‎12-08-2013 09:23 PM

Is there any way to accelerate searches which are being used in forms. Since,we cannot save form searches as they contain variables, so we need to use searchstring only. So possibly there could be any way to incorporate search acceleration by using any tag or by any other means.
Could someone please help me here?

Regards,
Disha

Tags (1)
0 Karma
Reply

Ayn
Legend
‎12-08-2013 10:05 PM

How to accelerate arbitrary searches? Well this is in essence what Splunk does by its very nature 🙂

Report acceleration (and summary indexing) works by performing calculations and aggregations before searches against the data are made so that you can search against that preprocessed data instead of the raw data, trading disk space for performance. Without knowing in advance what those searches are, it's naturally not possible to do this.

The only way to do something like this I can think of off the top of my head is that if you always have some static components of your search you could divide up your search so those run on their own in the base search. Then you throw in your variables in a separate search that feeds off the initial search. Something like:

| savedsearch "Your base search" | search variable=value variable2=value2

and so on. BEWARE though that this requires the saved search that you're accelerating to be as specific as possible, otherwise you won't really get any performance boost from this - you'll only be claiming more disk space without getting any benefits.

0 Karma
Reply

dishasaxena
Path Finder
‎12-13-2013 01:12 AM

Hi Ayn,

Thanks for your answer. Your approach sounds pretty good but somehow it is not working at my end, when I am trying to run a savedseardh using savedsearch as a first command, it is not displaying any result. Any troubleshooting you suggest?

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...