Splunk Search

Making field extractor searches faster

smhsplunk
Communicator

How to extract extracted fields faster

When I search for a field in the search window its very fast (although it returns me the entire event).

But when I use the field extractor to convert it into a keyword (which is a part of the event)
and look for the keyword in a search then its very slow

    index=main host="*" 
    |  search * keyword12!="NULL" 
    | dedup host
    | table keyword12, host

Trying to find the matches with keyword12 in the hosts.
How can I make this fast ? Am I using the above search properly ?

0 Karma
1 Solution

twinspop
Influencer

There is no benefit to searching for something, then re-running search in a new command (after a pipe). And bare asterisks serve no purpose at all.

index=main keyword12!="NULL" 
| dedup host 
| table keyword12, host

This will return the same results as your search and should be a lot more efficient.

EDIT: If at all possible avoid negated searching. In other words, try to turn the keyword12 NOT EQUAL term into a positive match, or a series of positive matches using OR. Negative matching is far less efficient than positive matching. keyword12=something OR keyword12=somethingelse OR keyword12=otherthing

View solution in original post

hunters_splunk
Splunk Employee
Splunk Employee

Hi smhsplunk,

I'm wondering if you could just put your filter keyword12!=NULL in the main query rather than after the pipeline. Please try this:

index=main keyword12!=NULL | dedup host keyword12

Hope it helps. Thanks!
Hunter Shen

twinspop
Influencer

There is no benefit to searching for something, then re-running search in a new command (after a pipe). And bare asterisks serve no purpose at all.

index=main keyword12!="NULL" 
| dedup host 
| table keyword12, host

This will return the same results as your search and should be a lot more efficient.

EDIT: If at all possible avoid negated searching. In other words, try to turn the keyword12 NOT EQUAL term into a positive match, or a series of positive matches using OR. Negative matching is far less efficient than positive matching. keyword12=something OR keyword12=somethingelse OR keyword12=otherthing

smhsplunk
Communicator

One of the best Splunk advices I got so far!!! removing != and putting the possible values in OR makes things way faster

0 Karma

twinspop
Influencer

Glad I could help. Cheers!

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...