Splunk Search

How can I make this search faster and more efficient "index=_internal per_host_thruput | timechart span=1d dc(series) as hosts"

mattbellezza
Explorer

The search below yields a count of hosts each day. It works well but will be extremely slow and inefficient if I run it for longer then a week (ideal 90 days). Is there a better way to write this to speed it up?

index=_internal per_host_thruput | timechart span=1d dc(series) as hosts

0 Karma
1 Solution

FrankVl
Ultra Champion

If you're just looking at finding all host values, wouldn't a tstats be a better option, rather than looking at the per_host_thruput from metrics.log?
For example:
| tstats count where index=* by host,_time | timechart dc(host)

View solution in original post

FrankVl
Ultra Champion

If you're just looking at finding all host values, wouldn't a tstats be a better option, rather than looking at the per_host_thruput from metrics.log?
For example:
| tstats count where index=* by host,_time | timechart dc(host)

mayurr98
Super Champion

Hey
you can save this search as a report and do report acceleration for 90 days.
so for last 90 days or in between any time period you search will run faster
Also, try this search in fast mode you can find this option below timepicker in splunk.

have a look at this doc for more:
http://docs.splunk.com/Documentation/Splunk/7.0.1/Knowledge/Manageacceleratedsearchsummaries

Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...