https://community.splunk.com/t5/Splunk-Search/Is-it-possible-to-bundle-multiple-searches-together/m-p/43087#M10129 <P>Thank you for your reply! Here is a sample of the queries I'm trying to run: </P> <P><A href="https://gist.github.com/3499469">https://gist.github.com/3499469</A></P> <P>The log is a basic nginx log. You can see that most of the queries contain 'top', or many 'count's.</P> Tue, 28 Aug 2012 16:03:23 GMT balidani 2012-08-28T16:03:23Z https://community.splunk.com/t5/Splunk-Search/Is-it-possible-to-bundle-multiple-searches-together/m-p/43085#M10127 <P>Hello!</P> <P>I'm trying to run many queries on a log every day. Is it possible to bundle these searches together, so Splunk doesn't have to iterate over the whole log every time?</P> <P>I tried searching for an answere here and in the documentation, but I didn't manage to find anything.<BR /> Thanks in advance!</P> Thu, 23 Aug 2012 18:33:31 GMT https://community.splunk.com/t5/Splunk-Search/Is-it-possible-to-bundle-multiple-searches-together/m-p/43085#M10127 balidani 2012-08-23T18:33:31Z https://community.splunk.com/t5/Splunk-Search/Is-it-possible-to-bundle-multiple-searches-together/m-p/43086#M10128 <P>Maybe, it depends on the searches. If you give us a sample (2 or 3) of the searches, and a few lines of the log... we might be able to come up with some ideas for you.</P> <P>I find that it is often possible to reduce the number of searches, even when you can't bundle <EM>all</EM> of them together.</P> Mon, 27 Aug 2012 20:13:29 GMT https://community.splunk.com/t5/Splunk-Search/Is-it-possible-to-bundle-multiple-searches-together/m-p/43086#M10128 lguinn2 2012-08-27T20:13:29Z https://community.splunk.com/t5/Splunk-Search/Is-it-possible-to-bundle-multiple-searches-together/m-p/43087#M10129 <P>Thank you for your reply! Here is a sample of the queries I'm trying to run: </P> <P><A href="https://gist.github.com/3499469">https://gist.github.com/3499469</A></P> <P>The log is a basic nginx log. You can see that most of the queries contain 'top', or many 'count's.</P> Tue, 28 Aug 2012 16:03:23 GMT https://community.splunk.com/t5/Splunk-Search/Is-it-possible-to-bundle-multiple-searches-together/m-p/43087#M10129 balidani 2012-08-28T16:03:23Z https://community.splunk.com/t5/Splunk-Search/Is-it-possible-to-bundle-multiple-searches-together/m-p/43088#M10130 <P>Okay, here is how I would do some of these</P> <PRE><CODE>sourcetype="nginx_log" earliest=-1d@d latest=@d | eval urlGroup = "" | eval urlGroup = case(match(url,"^/ws/2/label/"),"/ws/2/label/", match(url,"^/ws/2/artist/"),"/ws/2/artist/", match(url,"^/ws/2/release-group/"),"/ws/2/release-group/", match(url,"^/ws/2/release/"),"/ws/2/release/", match(url,"^/ws/2/recording/"),"/ws/2/recording/", match(url,"^/ws/2/work/"),"/ws/2/work/") | top 50 inc by urlGroup </CODE></PRE> <P>Would do the first 7 searches as a single search. The eighth search can be, in and of itself, dramatically simplified as follows:</P> <PRE><CODE>sourcetype="nginx_log" query="*" earliest=-1d@d latest=@d | fields url | eval name = "" | eval name = case(match(url,"^/ws/1/artist/","Artists", match(url,"^/ws/1/track/"),"Tracks", match(url,"^/ws/1/release-group/"),"Release-group", match(url,"^/ws/1/release/"),"Releases", match(url,"^/ws/1/label/"),"Labels") | stats count by name </CODE></PRE> <P>This should be more efficient. The remaining searches could follow this second pattern.</P> <P>Try it and see what you think.</P> Wed, 29 Aug 2012 21:50:53 GMT https://community.splunk.com/t5/Splunk-Search/Is-it-possible-to-bundle-multiple-searches-together/m-p/43088#M10130 lguinn2 2012-08-29T21:50:53Z https://community.splunk.com/t5/Splunk-Search/Is-it-possible-to-bundle-multiple-searches-together/m-p/43089#M10131 <P>Thank you! Querying takes a significantly shorter amount of time now.</P> Sun, 09 Sep 2012 23:17:07 GMT https://community.splunk.com/t5/Splunk-Search/Is-it-possible-to-bundle-multiple-searches-together/m-p/43089#M10131 balidani 2012-09-09T23:17:07Z