I read your comment…
Improve your cpu usages
You can increase CPU usage for better throughput by:
Disable or tune down various steps in processing.
Turn off event type discovery.
Tune timestamps recognition.
Improve your memory usages.
Splunk will always use as much memory as is available to it to process searches. To increase Splunk’s memory usage efficiency, and prevent it from running out of memory while searching change your searches to better use memory:
Reduce unnecessary use of AND and OR conditions. Reduce the complexity of your regexes.
Reduce the number of fields that are extracted to avoid running out of memory during a search.
Narrow the timerange of your search to avoid running out of memory during a search.
Select only core fields in your fields list so that time, and memory extraction doesn’t run.