1: 背景：

splunk 的查詢語句的是否優化，對是否節省資源有很大的影響。下面說一下大概的方法：

There are a set of basic principles that you can follow to optimize your searches.

• Retrieve only the required data

• Move as little data as possible

• Parallelize as much work as possible

• Set appropriate time windows （設置合適查詢時間）

To implement the search optimization principles, use the following techniques.

• Filter as much as possible in the initial search

• Perform joins and lookups on only the required data

• Perform evaluations on the minimum number of events possible

• Move commands that bring data to the search head as late as possible in your search criteria

2: 用個實際的查詢例子來說明：

A frequently used search

One search that is frequently used is a search that con