Splunk Search

Is it possible to do an index-only search without loading the raw event?

Lowell
Super Champion

I have a summary index search that does some simple stats (count) by host and sourcetype for WMI events. The problem I'm running into is that the search is pretty slow mostly because there are many WMI events to process. For the most part, I don't really need splunk to actually load these events since I'm simply doing some counts, so that got me thinking:

Is is possible to issue a search in splunk that doesn't actually fetch the raw event text?

In other words, I would be fine with simply getting back simply _time, source, sourcetype, and host without out incurring the overhead of actually going out to disk to fetch the full event for each and every event. (My understanding is that all those fields would be available directly within the index (.tsidx) files and therefore would need to fetch the event in the rawdata directory. I could be way off on this...)

I know that you can disable certain things like event-typing and lookups when doing a direct dispatch call, so I wasn't sure if something like this is possible or not.

Example search:

source=WMI:* | stats count as events by sourcetype, host
Tags (2)
0 Karma

Stephen_Sorkin
Splunk Employee
Splunk Employee

It's currently not possible to not read the rawdata at all. The best you can do is to run from the CLI or Advanced Charting view so that no fields are extracted from the event. We previously had a setting to only read the timestamp and source/sourcetype/host, but this was hard to make work completely in all search cases.

Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...