Databases Reference
In-Depth Information
4. Add more words from the relevant messages as and when you find them.
This can be done simply be clicking on words or field values in events or
field values in the field picker, for example,
index=myapplicationindex
sourcetype="impl_splunk_gen" error bob authclass OR fooclass
.
5.
Expand your time range once you have found the events that you need, and
then refine the search further.
6.
Disable
Field discovery
(at the top of the field picker). This can greatly
improve speed, particularly if your query retrieves a lot of events.
Extracting all of the fields from events simply takes a lot of computing
time, and disabling this option prevents Splunk from doing all of that
work when not needed.
If the query you are running is taking a long time to run, and you
will be running this query on a regular basis—perhaps for an alert
or dashboard—using a summary index may be appropriate. We
will discuss this in
Chapter 9
,
Summary Indexes and CSV Files
.
Sharing results with others
It is often convenient to share a specific set of results with another user. You
could always export the results to a CSV file and share it, but this is cumbersome.
Instead, to use a URL for sharing, start by choosing
Save & share results…
from
the
Save
menu.
Search WWH ::
Custom Search