Reporting
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Why is it slow if you don't use a numeric value when searching in a datamodel?

gfrizzo
Engager
‎06-26-2018 02:45 PM

The following example is pretty fast: 

| from datamodel:rc-stats | search _time > 1519966560 _time <= 1519970160 | stats count

Why the next two similar queries are so slow? The slowness also occurs if we evaluate values before the search.

| from datamodel:rc-stats | search earliest = 1519966560 latest = 1519970160 | stats count as cnt

| from datamodel:rc-stats | search _time > -4h@h _time <= -3h@h | stats count as cnt

We need to calculate the time ranges before doing the search on the datamodel but if we use anything that is not a numeric value, the search does a full scan which is pretty slow.

Is there a way to do a search using calculated time ranges that is as fast as the first query?

Example: (the real query uses more complex ranges)

| from datamodel:rc-stats
| eval now = now()
| eval lastFourHours = now - (4 * 3600)
| search _time >= lastFourHours
| ...
0 Karma
Reply

jkat54
SplunkTrust
SplunkTrust
‎06-26-2018 02:52 PM

Try this tstats approach

| tstats summariesonly=true count from datamodelName WHERE _time > whateverInEpoch AND _time < whateverInEpoch

0 Karma
Reply

jkat54
SplunkTrust
SplunkTrust
‎06-26-2018 02:54 PM

Read this documentation on what the tstats options do. If it’s not accelerated for example then summariesonly=true won’t work.

https://docs.splunk.com/Documentation/Splunk/7.1.1/SearchReference/Tstats

0 Karma
Reply

gfrizzo
Engager
‎06-26-2018 03:09 PM

It is not possible to calculate the ranges before executing the command tstats: "Error in 'tstats' command: This command must be the first command of a search."

| eval now = now()
| eval lastFourHours = now - (4 * 3600)
| eval yesterdayStart = lastFourHours - 86400
| eval yesterdayEnd = now - 86400 
| tstats summariesonly=true count from rc-stats WHERE (_time >= yesterdayStart) AND (_time <= yesterdayEnd)
0 Karma
Reply

jkat54
SplunkTrust
SplunkTrust
‎06-26-2018 04:08 PM

That’s why I have a pipe before tstats

| tstats ...

0 Karma
Reply

jkat54
SplunkTrust
SplunkTrust
‎06-26-2018 04:14 PM

i see what you’re saying.

You could use the map command 

| eval now = now()
| eval lastFourHours = now - (4 * 3600)
| eval yesterdayStart = lastFourHours - 86400
 | eval yesterdayEnd = now - 86400 
 | map search=[| tstats summariesonly=true count from rc-stats WHERE (_time >= $yesterdayStart$) AND (_time <= $yesterdayEnd$)]
0 Karma
Reply
Get Updates on the Splunk Community!

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...