Anatomy of a Splunk search
There are three basic components to a Splunk search, and all of them have an effect on how quickly the data itself is rendered in your search panel.
Root search
This is the portion of the search that defines where the data itself is located within Splunk. It consists of any one of the four core Splunk fields. Index, sourcetype, source, and host are the core Splunk fields that can only be aliased; it usually not advisable to write them.
Calculation/evaluation
This is the portion of the search where we leverage some statistical functions, eval functions, or multi-value field functions in order to prepare the data we are searching for and the way we want to present it. The order of functions is very critical in this section of the query and is usually the largest portion of a search.
Presentation/action
This is the portion of the search where we present our search in either a chart or a table, and we let Splunk render the data as we asked it to. This is the last portion...
