Hi, I have a couple searches where the main search can be limited a fair amount, lets say the last 2 weeks, but I have a subsearch that requires searching across all time, albeit on a small dataset.
Currently I handle this as follows:
event=LOGIN
| where _time < relative_time(now(),-14d)
| join type=left userId
[search source=SmallSource.csv
| table userId userProperty]
| where userProperty = X
| ...
With the time picker set to All Time. The SmallSource contains some user Properties tied to creation date of the user, so I need it to search across All Time, but this slows down the main search which must now search every event across time despite only needing the last 2 weeks!
Is there a way I can make this more efficient? I'm fairly new to Splunk so I'm not sure if I can put some of this info in another search, like a report I can reference, or if there is another way to restrict time more efficiently than this.
Thanks!
↧