How to extract extracted fields faster
When I search for a field in the search window its very fast (although it returns me the entire event).
But when I use the field extractor to convert it into a keyword (which is a part of the event)
and look for the keyword in a search then its very slow
index=main host="*"
| search * keyword12!="NULL"
| dedup host
| table keyword12, host
Trying to find the matches with keyword12 in the hosts.
How can I make this fast ? Am I using the above search properly ?
There is no benefit to searching for something, then re-running search in a new command (after a pipe). And bare asterisks serve no purpose at all.
index=main keyword12!="NULL"
| dedup host
| table keyword12, host
This will return the same results as your search and should be a lot more efficient.
EDIT: If at all possible avoid negated searching. In other words, try to turn the keyword12 NOT EQUAL term into a positive match, or a series of positive matches using OR. Negative matching is far less efficient than positive matching. keyword12=something OR keyword12=somethingelse OR keyword12=otherthing
Hi smhsplunk,
I'm wondering if you could just put your filter keyword12!=NULL in the main query rather than after the pipeline. Please try this:
index=main keyword12!=NULL | dedup host keyword12
Hope it helps. Thanks!
Hunter Shen
There is no benefit to searching for something, then re-running search in a new command (after a pipe). And bare asterisks serve no purpose at all.
index=main keyword12!="NULL"
| dedup host
| table keyword12, host
This will return the same results as your search and should be a lot more efficient.
EDIT: If at all possible avoid negated searching. In other words, try to turn the keyword12 NOT EQUAL term into a positive match, or a series of positive matches using OR. Negative matching is far less efficient than positive matching. keyword12=something OR keyword12=somethingelse OR keyword12=otherthing
One of the best Splunk advices I got so far!!! removing != and putting the possible values in OR makes things way faster
Glad I could help. Cheers!