Solved: How do I optimize the performance of my search tha...

McJansen · ‎11-23-2015

Hi,

I have a performance issue concerning multiple time ranges in 1 search.
The search string is as follows:

(index=[index1] sourcetype=[sourcetype1]) OR (index=[index2] sourcetype=[sourcetype2 hoursago=24])

I choose for the timerangepicker the value: last 3 months.

Now this search will take ages.
The first part of the search isn't the problem, but the second one is.
It should be clear that I want all records from the first part and only the records from the last 24 hours from the last part.
The search above provide me with these, but the search takes ages.

My question is: isn't there a way to make this search faster?
I can't join because of the number of records (over 72 million) .

Thanx in advance!!

NOUMSSI · ‎11-24-2015

Hi,

Try this for your the second one:

(index=[index1] sourcetype=[sourcetype1]) OR (index=[index2] sourcetype=[sourcetype2 earliest=-24h latest=now])

View solution in original post

NOUMSSI · ‎11-24-2015

Hi,

Try this for your the second one:

(index=[index1] sourcetype=[sourcetype1]) OR (index=[index2] sourcetype=[sourcetype2 earliest=-24h latest=now])

McJansen · ‎11-24-2015

Sometimes I feel stupid! 😉

Thanx!!!!

NOUMSSI · ‎12-03-2015

Ok! please dont forget to vote me

How do I optimize the performance of my search that is currently using a different time range per sourcetype?

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer at Splunk .conf24 ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Combine Multiline Logs into a Single Event with SOCK: a Step-by-Step Guide for ...