Splunk Search

How to accelerate search in forms?

dishasaxena
Path Finder

Is there any way to accelerate searches which are being used in forms. Since,we cannot save form searches as they contain variables, so we need to use searchstring only. So possibly there could be any way to incorporate search acceleration by using any tag or by any other means.
Could someone please help me here?

Regards,
Disha

Tags (1)
0 Karma

Ayn
Legend

How to accelerate arbitrary searches? Well this is in essence what Splunk does by its very nature 🙂

Report acceleration (and summary indexing) works by performing calculations and aggregations before searches against the data are made so that you can search against that preprocessed data instead of the raw data, trading disk space for performance. Without knowing in advance what those searches are, it's naturally not possible to do this.

The only way to do something like this I can think of off the top of my head is that if you always have some static components of your search you could divide up your search so those run on their own in the base search. Then you throw in your variables in a separate search that feeds off the initial search. Something like:

| savedsearch "Your base search" | search variable=value variable2=value2

and so on. BEWARE though that this requires the saved search that you're accelerating to be as specific as possible, otherwise you won't really get any performance boost from this - you'll only be claiming more disk space without getting any benefits.

0 Karma

dishasaxena
Path Finder

Hi Ayn,

Thanks for your answer. Your approach sounds pretty good but somehow it is not working at my end, when I am trying to run a savedseardh using savedsearch as a first command, it is not displaying any result. Any troubleshooting you suggest?

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...