https://community.splunk.com/t5/Splunk-Dev/How-to-optimize-this-query/m-p/643131#M11055 <P>Thanks much.&nbsp;</P><P>This search has completed and has returned 5,225 results by scanning 29,868 events in 0.592 seconds. Where the older one's was 1.606 seconds which is great news |||</P><P>&nbsp;</P> Fri, 12 May 2023 05:04:48 GMT spoo 2023-05-12T05:04:48Z https://community.splunk.com/t5/Splunk-Dev/How-to-optimize-this-query/m-p/642966#M11052 <P>index="abcd"<BR />| eval _time = strptime(TS_Changed_At,"%d/%m/%Y %H:%M")<BR />| sort 0 ID _time<BR />| dedup ID _time<BR />| eventstats last(Status) as current_status by ID<BR />| where current_status="AAA" OR current_status="BBB" OR current_status="CCC"<BR />| streamstats current=f window=1 values(Status) as prev_status by ID<BR />| where NOT Status=prev_status<BR />| eval Cal= if(Status="CCC" AND (NOT prev_status="AAA " AND NOT prev_status="BBB"),substr(TS_Last_Status_Change,1,16),if(Status="BBB" AND NOT prev_status="AAA",substr(TS_Last_Status_Change,1,16),if(Status="AAA",substr(TS_Last_Status_Change,1,16),"")))<BR />| where NOT Cal=""<BR />| eventstats max(eval(strptime(Cal,"%d/%m/%Y %H:%M"))) as max_ by ID<BR />| where max_ = strptime(Cal,"%d/%m/%Y %H:%M")<BR />| table ID Cal</P> Thu, 11 May 2023 12:24:06 GMT https://community.splunk.com/t5/Splunk-Dev/How-to-optimize-this-query/m-p/642966#M11052 spoo 2023-05-11T12:24:06Z https://community.splunk.com/t5/Splunk-Dev/How-to-optimize-this-query/m-p/643050#M11054 <P>What is the goal of the query?&nbsp; There may be a more efficient way to accomplish the same thing.</P><P>Here are some general tips:</P><UL><LI>Make the base search (before the first pipe) as specific as possible to reduce the number of events read from the index.</LI><LI>Use the <FONT face="courier new,courier">fields</FONT> command early to eliminate unused fields.</LI><LI>Sort only when and where necessary.</LI><LI>Use non-distributable commands as late in the query as possible.&nbsp; The first non-distributable command makes the entire query single-threaded (so to speak).</LI></UL><LI-CODE lang="markup">index="abcd" ID=* TS_Changed_At=* sourcetype=foo | fields ID TS_Changed_At Status Cal | eval _time = strptime(TS_Changed_At,"%d/%m/%Y %H:%M") | dedup ID _time | eventstats last(Status) as current_status by ID | where current_status="AAA" OR current_status="BBB" OR current_status="CCC" | sort 0 ID _time | streamstats current=f window=1 values(Status) as prev_status by ID | where NOT Status=prev_status | eval Cal= if(Status="CCC" AND (NOT prev_status="AAA " AND NOT prev_status="BBB"),substr(TS_Last_Status_Change,1,16),if(Status="BBB" AND NOT prev_status="AAA",substr(TS_Last_Status_Change,1,16),if(Status="AAA",substr(TS_Last_Status_Change,1,16),""))) | where NOT Cal="" | eventstats max(eval(strptime(Cal,"%d/%m/%Y %H:%M"))) as max_ by ID | where max_ = strptime(Cal,"%d/%m/%Y %H:%M") | table ID Cal</LI-CODE><P>&nbsp;</P> Thu, 11 May 2023 13:41:29 GMT https://community.splunk.com/t5/Splunk-Dev/How-to-optimize-this-query/m-p/643050#M11054 richgalloway 2023-05-11T13:41:29Z https://community.splunk.com/t5/Splunk-Dev/How-to-optimize-this-query/m-p/643131#M11055 <P>Thanks much.&nbsp;</P><P>This search has completed and has returned 5,225 results by scanning 29,868 events in 0.592 seconds. Where the older one's was 1.606 seconds which is great news |||</P><P>&nbsp;</P> Fri, 12 May 2023 05:04:48 GMT https://community.splunk.com/t5/Splunk-Dev/How-to-optimize-this-query/m-p/643131#M11055 spoo 2023-05-12T05:04:48Z