Re: How to accelerate search in forms?

dishasaxena · ‎12-08-2013

Is there any way to accelerate searches which are being used in forms. Since,we cannot save form searches as they contain variables, so we need to use searchstring only. So possibly there could be any way to incorporate search acceleration by using any tag or by any other means.
Could someone please help me here?

Regards,
Disha

Ayn · ‎12-08-2013

How to accelerate arbitrary searches? Well this is in essence what Splunk does by its very nature 🙂

Report acceleration (and summary indexing) works by performing calculations and aggregations before searches against the data are made so that you can search against that preprocessed data instead of the raw data, trading disk space for performance. Without knowing in advance what those searches are, it's naturally not possible to do this.

The only way to do something like this I can think of off the top of my head is that if you always have some static components of your search you could divide up your search so those run on their own in the base search. Then you throw in your variables in a separate search that feeds off the initial search. Something like:

| savedsearch "Your base search" | search variable=value variable2=value2

and so on. BEWARE though that this requires the saved search that you're accelerating to be as specific as possible, otherwise you won't really get any performance boost from this - you'll only be claiming more disk space without getting any benefits.

dishasaxena · ‎12-13-2013

Hi Ayn,

Thanks for your answer. Your approach sounds pretty good but somehow it is not working at my end, when I am trying to run a savedseardh using savedsearch as a first command, it is not displaying any result. Any troubleshooting you suggest?

How to accelerate search in forms?

Join Us for Splunk University and Get Your Bootcamp Game On!

.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!

Announcing Scheduled Export GA for Dashboard Studio