We have talked about using the index to make searches faster. When starting a new investigation, following a few steps will help you get results faster:
- Set the time to the minimum time that you believe will be required to locate relevant events. For a chatty log, this may be as little as a minute. If you don't know when the events occurred, you might search a larger time frame and then zoom in by clicking on the timeline while the search is running.
- Specify the index if you have multiple indexes. It's good to get into the habit of starting your queries with the index name, for example,
index=myapplicationindex error bob.
- Specify other fields that are relevant. The most common fields to specify are
host, for ...