Making searches faster
We have talked about using the index to make searches faster. When starting a new investigation, the following few steps will help you get results faster:
- Set the time to the minimum time that you believe will be required to locate relevant events. For a chatty log, this may be as little as a minute. If you don't know when the events occurred, you might search a larger time frame and then zoom in by clicking on the timeline while the search is running.
- Specify the index if you have multiple indexes. It's good to get into the habit of starting your queries with the index name. For example,
index=myapplicationindex error bob
. - Specify other fields that are relevant. The most common fields to specify are sourcetype and host. For ...
Get Implementing Splunk - Second Edition now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.