I just want to improve the speed of my search.I don't know what you mean!

you can save your query as a report and the accelerate it for the period you want. This can be an alternative to give you faster results at the time of your search but know that this would still cause extensive resource usage (only in the background i.e. at off times when you might not be searching).
You would also have to use a transforming command in your search to make it capable of acceleration.
Check this for more details -
https://docs.splunk.com/Documentation/Splunk/7.3.0/Report/Acceleratereports
https://docs.splunk.com/Documentation/Splunk/7.3.0/Knowledge/Manageacceleratedsearchsummaries

I will try it ,thanks

Even if the search conditions are accurate, the speed is slow.There's a lot of data, maybe billions,so the search speed is slow.
When the search command is executed, memory and CPU usage are minimal.Using the same data, ELK takes up a lot of memory and cpu, and it's much faster than splunk.
So, what should I do?
Thanks.

So what's your environment (regarding Indexer(s) and searchhead(s), storage)? And where are you examining the resource consumption?

I just created an index called test. I view CPU and memory usage through task management.

My first question was: what is your environment? Do you run Splunk in a standalone installation? What kind of storage do you have attached?

My test environments are win10 and Ubuntu 16.I run Splunk in a standalone installation.My storage is SSD,and there's a lot of free space

Ok, this way we could get further. Should have asked earlier, but: are you using virtual machines? What are the characteristics of your servers/VMs regarding CPU, RAM. I assume you have one (i.e. "1") SSD in your environment?

I use physical machines. I am not sure the information of CPU.It's for server,so its performance will not be weak.And the RAM is 240GB.Finally,you're right,thereis one SSD.

For the Linux machine you could use cat /proc/cpuinfo for getting processor information. The interesting figures are "number of cores" and "cpu speed". Regarding the one SSD: Splunk recommends 800IOPS, which one SSD probably isn't able to deliver. So this may be your bottleneck.

In your first post you wrote "hundreds of millions of data from billions of data" - what is this in GB? What is this as event count?

Still there's not sure, what you want to achieve with your query. As @martin_mueller pointed out - there's not much sense in just displaying "hundreds of millions of data". So you probably want to do something else with your data. Would be very helpful - if not essential - to get an idea of what you're planning to do?