Splunk Search

Splunk Search Syntax

NeonFlash
Explorer

Hi,

I want to know the difference between the following 2 searches:

sourcetype="source" search NOT field2=*keyword* | table field1, field2, field3

and

sourcetype="source" | table field1, field2, field3 | search NOT field2=*keyword*

I am not getting all the relevant results with the first search query.

What I am trying to do is: I want to reduce the number of results returned by the sourcetype and later process them by piping the output to a regex.

the second splunk query takes a longer time to execute because it will at first extract all the results from the sourcetype and then apply a filter on field2.

I want to reduce the number of results extracted from the sourcetype itself while running the query to reduce the execution time of query.

something like in SQL:

select * from table where column_name LIKE '%keyword%'

so, here I have reduced the results returned by SQL query itself which can later be processed by piping the output to another expression.

Tags (1)
0 Karma

jhallur_splunk
Splunk Employee
Splunk Employee

Your 1st query is searching for the events having the keyword 'search' (along with other conditions given the query). The events which doesn't have the 'search' keyword are dropped from your search result. Hence the different results you see.

The keyword 'search' should be after the '|' in your 1st query. Either remove the keyword 'search' from the query or add '|' symbol before 'search' keyword.

Please vote if you think this answer provided required clarification for you.

Regards
Jayanna Hallur

0 Karma

proletariat99
Communicator

Yes, but aside from the typo, it's still a valuable question. The difference between the two

sourcetype="source" NOT field2=*keyword* | table field1, field2, field3

sourcetype="source" | table field1, field2, field3 | search NOT field2=*keyword*

is that the first one is slightly faster. They both should return the same result, but the first one eliminates a key:value pair before putting it into a table (which takes cycles.) The second one builds the table, then removes stuff.

0 Karma

DisabledLeopard
Explorer

You've misused the term "search" in your first search.

As you have it:

sourcetype="source" search NOT field2=*keyword* | table field1, field2, field3

The term "search" is being used as a keyword in a search. Ie find events in sourcetype="source" containing "search" but not having field2="keyword"

What you want is simply:

sourcetype="source" NOT field2=*keyword* | table field1, field2, field3
Get Updates on the Splunk Community!

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...