Hello,
I am beginning in Splunk and am told to resolve some calculation times issues using searches.
The functionnality should do the following :
The first of the month, for example "2013, April 1st", it gets the applicative monthly logs from index "test" for January, February, March. Here is the search syntax :
index="test" sourcetype="test_source_type" | timechart span=1mon eval(round(count(),0)) by httpDomain | addtotals | rename _time AS Time | eval Time=strftime(Time, "%B %y")
A dashboard display the differents values grouped by Month.
The problem is that the processing time is extremely high because the search is on All Indexed Data. I know there are several possibilities, (using Collect command to create Archive index, accelerate mode, ...) but I cannot implement this in a good way.
Would you have some ideas please ? A good practice ? It could be very helpfull.
The Splunk System is 4.2.5
I am ready to send some more informations or print screens when necessary
Thank you and best regards.
David
... View more