How it works...

Let's break down the search piece by piece:

In this recipe, you used the table command. The table command can have a noticeable performance impact on large searches. It should be used towards the end of a search, once all other processing on the data by other Splunk commands has been performed.

The stats command is more efficient than the table command and should be used in place of table where possible. However, be aware that stats and table are two very different commands.