Write better searches Splunk manual contains the following recomendation:
Specify indexed fields with "field"::"value"
You can also run efficient searches for fields that have been indexed from structured data such as CSV files and JSON data sources. When you do this, replace the equal sign with double colons, like this: "field"::"value".
This is the link to the manual:
http://docs.splunk.com/Documentation/SplunkCloud/6.6.3/Search/Writebettersearches
I have tried this recommendation myself and the searches indeed execute much faster.
My question is why specifying indexed fields with "field"::"value" instead of "field"="value" results in faster searches?
What exactly happens when the search is executed?
↧
Why specifying indexed fields with "field"::"value" results in faster and more efficient searches?
↧