topic Re: What is the most efficient way of comparing two indexes. in Splunk Search

What is the most efficient way of comparing two indexes.

michaelrosello — Thu, 31 May 2018 02:40:44 GMT

I'm comparing in event1 from indexA is existing in indexB.
Currently I am using join in comparing this two indexes but it is slow when a lot of data exist.

Is there a more faster and efficient way in achieving this result?

index=indexA 
        | eval indexA_message_id = Message_ID
        | join type=outer Message_ID
    [ search index=indexB
    | eval indexB_message_id = Message_ID 
    | fields Message_ID mdh_message_id]
| where NOT indexA_message_id=indexB_message_id
| table Transaction_Type indexA_message_id

Re: What is the most efficient way of comparing two indexes.

MuS — Thu, 31 May 2018 02:56:53 GMT

Hi michaelrosello,

try this:

index=indexA OR index=indexB 
| stats count dc(index) AS dc_idx values(*) AS * by Message_ID 
| where dc_idx = 1 
| table Transaction_Type Message_ID

The where clause is your filter to get events that are either only in one of the indexes (1) or in both (2).

Hope this helps ...

cheers, MuS