https://community.splunk.com/t5/Reporting/report-acceleration-memory-usage/m-p/309161#M5681 <P>To add on to cmerriman's comment, following is the documentation on performing stats first and then lookup: <A href="http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Lookup#Optimizing_your_lookup_search">http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Lookup#Optimizing_your_lookup_search</A></P> <P>Following rename can be moved to later part of the query (after stats), possibly the final command for formatting. </P> <PRE><CODE>| rename SubjectUserSid as user, NewProcessName as process </CODE></PRE> <P>PS: You do not need to match field names to perform lookup:</P> <PRE><CODE>| lookup whitelist_win process AS NewProcessName </CODE></PRE> Tue, 11 Jul 2017 12:01:25 GMT niketn 2017-07-11T12:01:25Z https://community.splunk.com/t5/Reporting/report-acceleration-memory-usage/m-p/309159#M5679 <P>Hi,</P> <P>I am looking for answer to two questions:</P> <P>1) How command <CODE>| savedsearch</CODE> provides results if the report has time input, and I select wider range in my query?<BR /> This report defaults to Last 24 hours with search, and has 3 months accelerated.</P> <P>2) How to debug extremly high memory usage (over 12 GB) on searchhead if I start a query and run it for last 30 days?</P> <P>Report search looks like: <CODE>index="wineventlog" host=* (EventID=4688 OR EventID=861) NewProcessName=* SubjectUserName=* | rename SubjectUserSid as user, NewProcessName as process | lookup whitelist_win process | fillnull active | stats sparkline(count) AS timeline, max(active) AS active by host, user, process</CODE><BR /> My search which use this report is <CODE>| savedsearch "WinRunningApps"</CODE></P> <P>This lookup is small, and has a wildcard matching.</P> Tue, 11 Jul 2017 11:34:43 GMT https://community.splunk.com/t5/Reporting/report-acceleration-memory-usage/m-p/309159#M5679 lukasz92 2017-07-11T11:34:43Z https://community.splunk.com/t5/Reporting/report-acceleration-memory-usage/m-p/309160#M5680 <P>for the time range portion, if you select a new time range in the time picker, it overrides the range saved in the saved search. you can see that under <STRONG>Time ranges</STRONG> in the documentation<BR /> <A href="https://docs.splunk.com/Documentation/Splunk/6.6.2/SearchReference/Savedsearch">https://docs.splunk.com/Documentation/Splunk/6.6.2/SearchReference/Savedsearch</A></P> <P>one thing that might help make this more efficient is to aggregate the results before the lookup, if possible. you're joining your lookup to every single event, if you could narrow the number of rows it had to join to, that might help.</P> Tue, 11 Jul 2017 11:50:16 GMT https://community.splunk.com/t5/Reporting/report-acceleration-memory-usage/m-p/309160#M5680 cmerriman 2017-07-11T11:50:16Z https://community.splunk.com/t5/Reporting/report-acceleration-memory-usage/m-p/309161#M5681 <P>To add on to cmerriman's comment, following is the documentation on performing stats first and then lookup: <A href="http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Lookup#Optimizing_your_lookup_search">http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Lookup#Optimizing_your_lookup_search</A></P> <P>Following rename can be moved to later part of the query (after stats), possibly the final command for formatting. </P> <PRE><CODE>| rename SubjectUserSid as user, NewProcessName as process </CODE></PRE> <P>PS: You do not need to match field names to perform lookup:</P> <PRE><CODE>| lookup whitelist_win process AS NewProcessName </CODE></PRE> Tue, 11 Jul 2017 12:01:25 GMT https://community.splunk.com/t5/Reporting/report-acceleration-memory-usage/m-p/309161#M5681 niketn 2017-07-11T12:01:25Z