https://community.splunk.com/t5/Monitoring-Splunk/Heavy-query/m-p/325823#M2992 <P>Sorry but this query doesn't extract any results</P> Wed, 12 Apr 2017 14:54:14 GMT spillo491 2017-04-12T14:54:14Z https://community.splunk.com/t5/Monitoring-Splunk/Heavy-query/m-p/325821#M2990 <P>Hi, </P> <P>I have a problem with this query executed on 3 months</P> <PRE><CODE>index="app" host="sl0920*" source="/home/java/jboss-eap-6.2/app/log/teller-web.log" OR source="/home/java/jboss-eap-6.2/app/log/desktop-web.log" priority="FATAL" category="AUDIT*" message="{Invoking*" | eval date = strftime(_time, "%Y-%m-%d") | stats count as Contatore by message,correlationId,date | where Contatore &gt; 1 | eval tot = Contatore/2 | chart sum(tot) as tot by date </CODE></PRE> <P>Is it possible rewrite the same query with a query with better performances please ?</P> Wed, 12 Apr 2017 12:34:40 GMT https://community.splunk.com/t5/Monitoring-Splunk/Heavy-query/m-p/325821#M2990 spillo491 2017-04-12T12:34:40Z https://community.splunk.com/t5/Monitoring-Splunk/Heavy-query/m-p/325822#M2991 <P>I don't see anything obviously bad about the code. When possible, you want to avoid reformatting data at the event level before the data is summarized, and a numeric field (or epoch time field) is more efficient for summary than a display field, but you at least need to <CODE>bin</CODE> the <CODE>_time</CODE> at the <CODE>1d</CODE> level, so we can't avoid a reformat completely. </P> <P>Try this, and see what happens. There might be a marginal improvement.</P> <PRE><CODE> index="app" host="sl0920*" (source="/home/java/jboss-eap-6.2/app/log/teller-web.log" OR source="/home/java/jboss-eap-6.2/app/log/desktop-web.log") priority="FATAL" category="AUDIT*" message="{Invoking*" | table _time, message, correlationId | bin _time as date span=1d | stats count as Contatore by message, correlationId, date | where Contatore &gt; 1 | eval tot = Contatore/2 | eval date = strftime(_time, "%Y-%m-%d") | chart sum(tot) as tot by date </CODE></PRE> <P>I'm tempted to try a <CODE>timechart</CODE> version, but without your data, I have no way of knowing if it would get better results. </P> Wed, 12 Apr 2017 14:24:35 GMT https://community.splunk.com/t5/Monitoring-Splunk/Heavy-query/m-p/325822#M2991 DalJeanis 2017-04-12T14:24:35Z https://community.splunk.com/t5/Monitoring-Splunk/Heavy-query/m-p/325823#M2992 <P>Sorry but this query doesn't extract any results</P> Wed, 12 Apr 2017 14:54:14 GMT https://community.splunk.com/t5/Monitoring-Splunk/Heavy-query/m-p/325823#M2992 spillo491 2017-04-12T14:54:14Z https://community.splunk.com/t5/Monitoring-Splunk/Heavy-query/m-p/325824#M2993 <P>@spillo491... do you get any result when you run 1st 4 lines of DalJeanis' code?</P> Wed, 12 Apr 2017 15:31:26 GMT https://community.splunk.com/t5/Monitoring-Splunk/Heavy-query/m-p/325824#M2993 niketn 2017-04-12T15:31:26Z https://community.splunk.com/t5/Monitoring-Splunk/Heavy-query/m-p/325825#M2994 <P>On a different thought... If you have too many events to be handled in 30 days... You can actually try summary index.</P> Wed, 12 Apr 2017 15:32:39 GMT https://community.splunk.com/t5/Monitoring-Splunk/Heavy-query/m-p/325825#M2994 niketn 2017-04-12T15:32:39Z https://community.splunk.com/t5/Monitoring-Splunk/Heavy-query/m-p/325826#M2995 <P>Yes, I get results !</P> Thu, 13 Apr 2017 06:40:58 GMT https://community.splunk.com/t5/Monitoring-Splunk/Heavy-query/m-p/325826#M2995 spillo491 2017-04-13T06:40:58Z