I have a summary index search that does some simple stats (count) by host and sourcetype for WMI events. The problem I'm running into is that the search is pretty slow mostly because there are many WMI events to process. For the most part, I don't really need splunk to actually load these events since I'm simply doing some counts, so that got me thinking:
Is is possible to issue a search in splunk that doesn't actually fetch the raw event text?
In other words, I would be fine with simply getting back simply _time
, source
, sourcetype
, and host
without out incurring the overhead of actually going out to disk to fetch the full event for each and every event. (My understanding is that all those fields would be available directly within the index (.tsidx
) files and therefore would need to fetch the event in the rawdata
directory. I could be way off on this...)
I know that you can disable certain things like event-typing and lookups when doing a direct dispatch
call, so I wasn't sure if something like this is possible or not.
Example search:
source=WMI:* | stats count as events by sourcetype, host
It's currently not possible to not read the rawdata at all. The best you can do is to run from the CLI or Advanced Charting view so that no fields are extracted from the event. We previously had a setting to only read the timestamp and source/sourcetype/host, but this was hard to make work completely in all search cases.