Solved: Disabling eventtypes on a per-query basis?

sowings · ‎07-17-2013

I've got a long-running search that's spending more time than necessary in command.search.typer. I say more time than necessary because I'm not referencing the eventtypes at all, whether as a field nor as part of my search string. I've tried the fields - eventtype strategy listed here, but I still see time spent in command.search.typer.

Anything else I can try to temporarily disable eventtypes?

(Splunk version is 4.3.6.)

_d_ · ‎07-25-2013

I suppose you can always do ...| fields [list of necessary fields ONLY] | ....

View solution in original post

_d_ · ‎07-25-2013

I suppose you can always do ...| fields [list of necessary fields ONLY] | ....

sowings · ‎07-25-2013

Once I limited the search to just the fields I wanted, typer doesn't show up in job inspector. Thanks!

_d_ · ‎07-17-2013

try this:

| fields - eventtype, tag::eventtype

sowings · ‎07-17-2013

Sadly, that doesn't work, either.

Disabling eventtypes on a per-query basis?

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases