Splunk Search

How to improve the performance of a search with multiple tstats command?

AKG1_old1
Builder

Hi,

My search query is having mutliple tstats commands. Also there are two independent search query seprated by appencols. Looking for suggestion to improve performance.

I tried using multisearch but its not working saying subsearch containing non-streaming command.

Query:

| tstats summariesonly=false max(LIVEBOOK.Elapsed) AS Elapsed FROM datamodel=MXTIMING_LIVEBOOK_V2 WHERE host=QCST_RSAT_V42 LIVEBOOK.Elapsed > 0 AND LIVEBOOK.Context+Command="*" AND 
    [| tstats count FROM datamodel=MXTIMING_LIVEBOOK_V2 WHERE host=QCST_RSAT_V42 LIVEBOOK.NPID="727614" GROUPBY source 
    | table source ] 
    GROUPBY LIVEBOOK.Context+Command LIVEBOOK.Time _time span=1s 
| rename LIVEBOOK.Context+Command as Context+Command 
| rename LIVEBOOK.Time as Time 
| timechart bins=2000 max(Elapsed) by Context+Command 
| appendcols 
    [| tstats summariesonly=false max(LIVEBOOK.Memory) AS VmPeak max(LIVEBOOK.VmHWM_V2) AS VmHWM max(LIVEBOOK.Malloc_V2) AS Malloc FROM datamodel=MXTIMING_LIVEBOOK_V2 WHERE host=QCST_RSAT_V42 AND LIVEBOOK.Elapsed > 0 AND 
        [| tstats count FROM datamodel=MXTIMING_LIVEBOOK_V2 WHERE host=QCST_RSAT_V42 LIVEBOOK.NPID="727614" GROUPBY source 
        | table source ]
        AND LIVEBOOK.Context+Command="*" GROUPBY LIVEBOOK.Context+Command LIVEBOOK.Time _time span=1s 
    | timechart bins=2000 max(VmPeak) as Mem_VmPeak ] 
| fields - OTHER 
| eval Mem_Malloc = if(Mem_Malloc==0,"",Mem_Malloc) 
| eval Mem_VmHWM = if(Mem_VmHWM==0,"",Mem_VmHWM) 
| eval Mem_VmPeak = if(Mem_VmPeak==0,"",Mem_VmPeak)

alt text

alt text

0 Karma

richgalloway
SplunkTrust
SplunkTrust

I think this can be done without appendcols. Try this query to see if it helps.

| tstats summariesonly=false max(LIVEBOOK.Elapsed) AS Elapsed max(LIVEBOOK.Memory) AS VmPeak max(LIVEBOOK.VmHWM_V2) AS VmHWM max(LIVEBOOK.Malloc_V2) AS Malloc FROM datamodel=MXTIMING_LIVEBOOK_V2 WHERE host=QCST_RSAT_V42 LIVEBOOK.Elapsed > 0 AND LIVEBOOK.Context+Command="*" AND 
     [| tstats count FROM datamodel=MXTIMING_LIVEBOOK_V2 WHERE host=QCST_RSAT_V42 LIVEBOOK.NPID="727614" GROUPBY source 
     | fields source
     | format ] 
     GROUPBY LIVEBOOK.Context+Command LIVEBOOK.Time _time span=1s 
| rename LIVEBOOK.* as * 
| bin bins=2000 _time 
| stats max(Elapsed) max(VmPeak) as Mem_VmPeak by Context+Command 
| fields - OTHER 
| eval Mem_VmPeak = if(Mem_VmPeak==0,"",Mem_VmPeak)
---
If this reply helps you, Karma would be appreciated.
0 Karma

AKG1_old1
Builder

Thanks but this query producing different results.

0 Karma

richgalloway
SplunkTrust
SplunkTrust

How is it different?

---
If this reply helps you, Karma would be appreciated.
0 Karma

AKG1_old1
Builder

output produce only two column. oringinal query have mutiple column(for each context+command and one for memory).

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Modify the stats command to add the columns to want.

---
If this reply helps you, Karma would be appreciated.
0 Karma

AKG1_old1
Builder

there is no fixed / same occurance of Context+Command. My reason for posting this question is if there is anyway to run muliple query in parallel using tstats.

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Have you checked the job inspector to see where the query is spending its time?

---
If this reply helps you, Karma would be appreciated.
0 Karma

AKG1_old1
Builder

attached screenshot of job inspector. most of the time is spent on appendcols, thatswhy I am looking option of running these two queries parallel as these are independent. mutlisearch is not working either.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...