1: 背景：

splunk 的查询语句的是否优化，对是否节省资源有很大的影响。下面说一下大概的方法：

There are a set of basic principles that you can follow to optimize your searches.

• Retrieve only the required data

• Move as little data as possible

• Parallelize as much work as possible

• Set appropriate time windows （设置合适查询时间）

To implement the search optimization principles, use the following techniques.

• Filter as much as possible in the initial search

• Perform joins and lookups on only the required data

• Perform evaluations on the minimum number of events possible

• Move commands that bring data to the search head as late as possible in your search criteria

2: 用个实际的查询例子来说明：

A frequently used search

One search that is frequently used is a search that con