Hello,
below is my search . Since i am using join , search is slow . Can i please know if there is a way to increase the speed of the search rather than absolutely specifying the index.
| tstats max(_time) as lastReport WHERE splunk_server_group=abc index=*_abc_* OR index=main by host | eval LastReported=strftime(lastReport,"%m/%d/%y %H:%M:%S") | table LastReported host |join host [search index=_internal hostname=* | stats count by hostname sourceIp| rename hostname as host ]
↧