Splunk Search

Is there any way to optimize post process searches instead of running them alternately?

akhil36109
New Member

Search 1 is :

index=reportstore earliest=-28d@d latest=@d sourcetype=reportstore_logs host=denver
| eval ReportCreatedDate=strftime(ReportCreatedDate, "%D %T") 
| stats first(ReportCreatedDate) AS ReportCreatedDate by report_id 
| rename report_id as reportname

search 2 already has a join in it but I still take this is as one search :

index=offered_reports earliest=1522540800 sourcetype=splunkoffer Server_Name=denver 
| table offer 
| dedup offer 
| eval offer=lower(offer) 
| rename offer as Offer_Given 
| join max=0 Offer_Given 
[ search index=offered_reports earliest=1522540800 Master="master_splunk" 
| eval Offer_Given=lower(Offer_Given) ] 
| dedup reportname time_interval 
| table reportname time_interval

The Full Searches:

first one;

index=reportstore earliest=-28d@d latest=@d sourcetype=reportstore_logs host=denver
| eval ReportCreatedDate=strftime(ReportCreatedDate, "%D %T") 
| stats first(ReportCreatedDate) AS ReportCreatedDate by report_id 
| rename report_id as reportname 
| join type=outer reportname 
[ index=offered_reports earliest=1522540800 sourcetype=splunkoffer Server_Name=denver 
| table offer 
| dedup offer 
| eval offer=lower(offer) 
| rename offer as Offer_Given 
| join max=0 Offer_Given 
[ search index=offered_reports earliest=1522540800 Master="master_splunk" 
| eval Offer_Given=lower(Offer_Given) ] 
| dedup reportname time_interval 
| table reportname time_interval ] 
| table reportname,time_interval,ReportCreatedDate 
| fillnull value="Extra_reports"

Second one:

index=offered_reports earliest=1522540800 sourcetype=splunkoffer Server_Name=denver 
| table offer 
| dedup offer 
| eval offer=lower(offer) 
| rename offer as Offer_Given 
| join max=0 Offer_Given 
[ search index=offered_reports earliest=1522540800 Master="master_splunk" 
| eval Offer_Given=lower(Offer_Given) ] 
| dedup reportname time_interval 
| table reportname time_interval 
| rename reportname as report_guid
| join type=outer report_guid[search index=reportstore earliest=-28d@d latest=@d sourcetype=reportstore_logs host=denver
| eval ReportCreatedDate=strftime(ReportCreatedDate, "%D %T") 
| stats first(ReportCreatedDate) AS ReportCreatedDate by report_id ]
| table report_guid,time_interval,ReportCreatedDate
| fillnull value="Missing"

By joining search 1 type=outer [search 2 ] gives me Extra reports which are present in search1 and not present in search2

By joining search 2 type=outer [search 1 ] gives me missing reports which are present in search2 and not present in search1

Is there any way to optimize them instead of running alternately?

Thank you

0 Karma

valiquet
Contributor

Search 2 optimized. Stay away of subsearches. Stats is much faster than dedup

index=offered_reports earliest=1522540800 sourcetype=splunkoffer Server_Name=denver OR (index=offered_reports earliest=1522540800 Master="master_splunk")
| eval offer=lower(offer), Offer_Given=lower(Offer_Given)
| stats values(*) as * by reportname time_interval offer Offer_Given
| fields reportname time_interval

0 Karma

woodcock
Esteemed Legend

If you will give me samples from each set of data and then mockups of what you need, then I will answer your question.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...