The search below yields a count of hosts each day. It works well but will be extremely slow and inefficient if I run it for longer then a week (ideal 90 days). Is there a better way to write this to speed it up?
index=_internal per_host_thruput | timechart span=1d dc(series) as hosts
If you're just looking at finding all host values, wouldn't a tstats be a better option, rather than looking at the per_host_thruput from metrics.log?
For example:
| tstats count where index=* by host,_time | timechart dc(host)
If you're just looking at finding all host values, wouldn't a tstats be a better option, rather than looking at the per_host_thruput from metrics.log?
For example:
| tstats count where index=* by host,_time | timechart dc(host)
Hey
you can save this search as a report
and do report acceleration
for 90 days.
so for last 90 days or in between any time period you search will run faster
Also, try this search in fast mode
you can find this option below timepicker
in splunk.
have a look at this doc for more:
http://docs.splunk.com/Documentation/Splunk/7.0.1/Knowledge/Manageacceleratedsearchsummaries