Is there any way to optimize post process searches...

akhil36109 · ‎04-20-2018

Search 1 is :

index=reportstore earliest=-28d@d latest=@d sourcetype=reportstore_logs host=denver
| eval ReportCreatedDate=strftime(ReportCreatedDate, "%D %T") 
| stats first(ReportCreatedDate) AS ReportCreatedDate by report_id 
| rename report_id as reportname

search 2 already has a join in it but I still take this is as one search :

index=offered_reports earliest=1522540800 sourcetype=splunkoffer Server_Name=denver 
| table offer 
| dedup offer 
| eval offer=lower(offer) 
| rename offer as Offer_Given 
| join max=0 Offer_Given 
[ search index=offered_reports earliest=1522540800 Master="master_splunk" 
| eval Offer_Given=lower(Offer_Given) ] 
| dedup reportname time_interval 
| table reportname time_interval

The Full Searches:

first one;

index=reportstore earliest=-28d@d latest=@d sourcetype=reportstore_logs host=denver
| eval ReportCreatedDate=strftime(ReportCreatedDate, "%D %T") 
| stats first(ReportCreatedDate) AS ReportCreatedDate by report_id 
| rename report_id as reportname 
| join type=outer reportname 
[ index=offered_reports earliest=1522540800 sourcetype=splunkoffer Server_Name=denver 
| table offer 
| dedup offer 
| eval offer=lower(offer) 
| rename offer as Offer_Given 
| join max=0 Offer_Given 
[ search index=offered_reports earliest=1522540800 Master="master_splunk" 
| eval Offer_Given=lower(Offer_Given) ] 
| dedup reportname time_interval 
| table reportname time_interval ] 
| table reportname,time_interval,ReportCreatedDate 
| fillnull value="Extra_reports"

Second one:

index=offered_reports earliest=1522540800 sourcetype=splunkoffer Server_Name=denver 
| table offer 
| dedup offer 
| eval offer=lower(offer) 
| rename offer as Offer_Given 
| join max=0 Offer_Given 
[ search index=offered_reports earliest=1522540800 Master="master_splunk" 
| eval Offer_Given=lower(Offer_Given) ] 
| dedup reportname time_interval 
| table reportname time_interval 
| rename reportname as report_guid
| join type=outer report_guid[search index=reportstore earliest=-28d@d latest=@d sourcetype=reportstore_logs host=denver
| eval ReportCreatedDate=strftime(ReportCreatedDate, "%D %T") 
| stats first(ReportCreatedDate) AS ReportCreatedDate by report_id ]
| table report_guid,time_interval,ReportCreatedDate
| fillnull value="Missing"

By joining search 1 type=outer [search 2 ] gives me Extra reports which are present in search1 and not present in search2

By joining search 2 type=outer [search 1 ] gives me missing reports which are present in search2 and not present in search1

Is there any way to optimize them instead of running alternately?

Thank you

valiquet · ‎12-21-2018

Search 2 optimized. Stay away of subsearches. Stats is much faster than dedup

index=offered_reports earliest=1522540800 sourcetype=splunkoffer Server_Name=denver OR (index=offered_reports earliest=1522540800 Master="master_splunk")
| eval offer=lower(offer), Offer_Given=lower(Offer_Given)
| stats values(*) as * by reportname time_interval offer Offer_Given
| fields reportname time_interval

woodcock · ‎04-20-2018

If you will give me samples from each set of data and then mockups of what you need, then I will answer your question.

Is there any way to optimize post process searches instead of running them alternately?

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...