Running a search against the data in a Partition is almost exactly the same as running any other query. The difference you'll notice is the speed at which results are returned, especially if you're searching over a large amount of data.
There are several ways to run a search against a Partition; you don't need to change the way you interact with your data in order to see quicker search results.
Partitions can be searched any of the following ways:
- In the Search page.
- From a saved search.
- From a search in the Library.
- From the Manage Data > Logs > Partitions page.
Queries that contain partitions can be used in saved and scheduled searches, as dashboard panels, and as published or saved searches.
Run a search against a partition from the Partitions page
- Go to Manage Data > Logs > Partitions.
- Do one of the following:
- Click the Search Icon to the right of the index name. This launches a search on just the data indexed in the partition.
- Select a Partition from the table and click the Search Icon to the right of the routing expression. This launches a search that runs the expression against the partition, as well as any other logs that match the query. This means that you can capture search results on all data, not just the data indexed in the partition.
Why did I get a message to run a search against a partition?
After starting a search that would return faster results if the query were run against a partition, you’ll see a message appear under the search bar that includes a link to the recommended, optimized search.
When the link opens the optimized search in a new search tab, run the search by pressing the Enter/Return key or by clicking Start on the Search page. By default, the optimized search uses the same time range as your original search.