I was using calculated fields, but then I started reading the documentation and saw that calculated fields are done during search-time.
https://docs.splunk.com/Documentation/Splunk/6.2.2/Knowledge/definecalcfields
I'm thinking this doesn't really give me an advantage of having it inside of the search vs outside in a calculated field in terms of performance.
Is there anyway to do the calculated field before search time? or is it only done once during the first initial search?
↧