Hi,
I have a dashboard with a search that produces how much data has been indexed by Splunk for a given time range. However, due to the large amount of data being processed, this search is quite slow. I was wondering what the best method is for caching previous search results and only search from the current time to the last cache searched. For example, if I was searching how much data was indexed the past 7 days, and I had a cached search for the first 4 days, I'd like to use that cached search then add on the remaining last 3 days.
Any help is appreciated! Thanks.
Splunk doesn't have the ability to Cache search results and use them like this per say at search time (you can look at the loadjob command and understand what I mean here.) So I believe you want to use Report Acceleration.
I would advise you look here first :
https://docs.splunk.com/Documentation/Splunk/6.4.3/Knowledge/Manageacceleratedsearchsummaries
That has a good outline of what you have to do and what kind of searches you can use this on. There are constraints on the search you can enable this on along with how to check how much is Accelerated.
I agree with @esix for making use of Report Acceleration.
Splunk doesn't have the ability to
Cache search results and use them like
this per say at search time
Confusing comment. Search result will be cached by default. Just for this use case, it is not recommended to make use of it. Report Acceleration is a way better solution