That definitely looks like a less resource-intensive way to do it - I'll give it a go starting tomorrow.
FWIW, after I twigged that a sort -_time is required after a subsearch append to make transaction work, I discovered that the search became flaky, with results I knew to be there not showing up...
...until I dropped my time interval to under an hour, because the number of results returned by the search of the DHCP logs was making Splunk barf.
That's going to have implications for how we actually go about tracking this sort of information - currently, I'm thinking of having the search run on a 10-minute interval and append a csv file, and then use that as the input to a report/dashboard panel.
Where that blog post will come into it is in expiring old entries from the head of the csv file. Very helpful.
... View more