1
Advanced Searching and Statistics
hard
A large e-commerce platform uses Splunk to monitor user sessions. Each session is composed of multiple events with a common 'session_id' field. The current search to compute average session duration is: 'index=web | transaction session_id maxspan=30m | eval duration=_time_last - _time | stats avg(duration)'. This search runs for over an hour on a 6-hour time window. The environment has 20 indexers and data volume is 2 TB/day. The admin suspects that the transaction command is the bottleneck. Which optimization should be applied?