Hi, I'm trying to create a search that returns certain hosts that are NOT found returning data. I know I can do this with a lookup table, but I wanted to see if I could just embed the hosts in the SPL to prevent the need for a lookup (less maintenance). Below is what is working, but the append is taking a long time. Any suggestions on how I can get this to perform better?
Thank you!
Chris
| makeresults
| eval host="hosta hostb hostc" `comment("This uses a events that create an event for each host")`
| makemv delim=" " host
| mvexpand host
| append
[ search index=_internal sourcetype=splunkd component=Metrics (host=hosta OR host=hostb OR host=hostc)
| fields host ]
| stats count by host
| search count=1
| mvcombine host delim="name:"
| nomv host | eval hoststring= "name:" + host
| fields hoststring |`comment("This is evaluated against the search and if no host exists, a value of 1 event will be returned with a formated string")`
Try this version
| makeresults
| eval host="hosta hostb hostc" `comment("This uses a events that create an event for each host")`
| makemv delim=" " host
| mvexpand host
| append
[ | tstats count WHERE index=_internal sourcetype=splunkd (host=hosta OR host=hostb OR host=hostc) by host
| fields host ]
| stats count by host
| search count=1
| mvcombine host delim="name:"
| nomv host | eval hoststring= "name:" + host
| fields hoststring |`comment("This is evaluated against the search and if no host exists, a value of 1 event will be returned with a formated string")`
I see tstats, think you meant:
| tstats count where (host=hosta OR host=hostb OR host =hostc) by host
But that didn't help, it still takes over seconds (5-8) for the append. Even with a small time window, 15 min. dispatch.evaluate.append is where it is spending time.
Thanks
Chris