https://community.splunk.com/t5/Splunk-Search/Alternative-solution-for-join-with-bad-performance/m-p/483377#M135335 <PRE><CODE>(index=x 2202) OR (index=y 2203 client 77777) | spath "EventStreamData.requestContext.id" output=transaction_number | spath "EventStreamData.httpStatus" output=STATUS | spath "EventStreamData.response.transactionNumber" output=transaction_number | stats count AS "COUNT" by transaction_number STATUS | eval STATUS_MESSAGE= case(like(STATUS,"2%"), "Success" ,like(STATUS,"5%") OR (STATUS==404), "Server Error",like(STATUS,"4%") ,"Client Error" ,true() ,"Other Error") | table STATUS_MESSAGE, STATUS, COUNT | fields STATUS_MESSAGE, STATUS, COUNT | addcoltotals COUNT </CODE></PRE> <P>Is this OK?</P> Thu, 27 Feb 2020 11:32:47 GMT to4kawa 2020-02-27T11:32:47Z https://community.splunk.com/t5/Splunk-Search/Alternative-solution-for-join-with-bad-performance/m-p/483375#M135333 <P>I need to do a search on multiple indexes/events and need to do a join on different fields from both. Below query works but is really slow when there are large number of results. Looking for an alternative solution that can help improve the performance. Thanks!</P> <P>index=x 2202<BR /> | spath "EventStreamData.requestContext.id" <BR /> | spath "EventStreamData.httpStatus"<BR /><BR /> | rename EventStreamData.httpStatus as "STATUS"<BR /> | rename EventStreamData.requestContext.id as "transaction_number"<BR /> | fields transaction_number, STATUS<BR /> |join transaction_number<BR /> [|search index=y 2203<BR /> | spath "EventStreamData.requestContext.allRequestHeaders.client{}" <BR /> | search "EventStreamData.requestContext.allRequestHeaders.client{}"=77777<BR /> | spath "EventStreamData.response.transactionNumber" <BR /> | rename EventStreamData.response.transactionNumber as "transaction_number"<BR /> | fields transaction_number]<BR /> | stats count AS "COUNT" by STATUS | eval STATUS_MESSAGE= case(((STATUS==200) OR (STATUS==201)), "Success", ((STATUS==500) OR (STATUS==502) OR (STATUS==504) OR (STATUS==404)), "Server Error",((STATUS==400) OR (STATUS==401) OR (STATUS==403) OR (STATUS==409)), "Client Error") | table STATUS_MESSAGE, STATUS, COUNT | addcoltotals COUNT</P> Wed, 30 Sep 2020 04:25:02 GMT https://community.splunk.com/t5/Splunk-Search/Alternative-solution-for-join-with-bad-performance/m-p/483375#M135333 amdhindsa 2020-09-30T04:25:02Z https://community.splunk.com/t5/Splunk-Search/Alternative-solution-for-join-with-bad-performance/m-p/483376#M135334 <P>I think you'd want to do something like this instead:</P> <PRE><CODE>(index=x 2202) OR (index=y 2203) | spath "EventStreamData.requestContext.id" | spath "EventStreamData.httpStatus" | rename EventStreamData.httpStatus as "STATUS" | rename EventStreamData.requestContext.id as "transaction_number" | spath "EventStreamData.requestContext.allRequestHeaders.client{}" | search "EventStreamData.requestContext.allRequestHeaders.client{}"=77777 | spath "EventStreamData.response.transactionNumber" | rename EventStreamData.response.transactionNumber as "transaction_number" | stats count AS "COUNT" values(STATUS) as STATUS by transaction_number | eval STATUS_MESSAGE= case(((STATUS==200) OR (STATUS==201)), "Success", ((STATUS==500) OR (STATUS==502) OR (STATUS==504) OR (STATUS==404)), "Server Error",((STATUS==400) OR (STATUS==401) OR (STATUS==403) OR (STATUS==409)), "Client Error") | table STATUS_MESSAGE, STATUS, COUNT | addcoltotals COUNT </CODE></PRE> <P>Kind of hard to tell without sample data from both indexes though.</P> Thu, 27 Feb 2020 01:01:04 GMT https://community.splunk.com/t5/Splunk-Search/Alternative-solution-for-join-with-bad-performance/m-p/483376#M135334 masonmorales 2020-02-27T01:01:04Z https://community.splunk.com/t5/Splunk-Search/Alternative-solution-for-join-with-bad-performance/m-p/483377#M135335 <PRE><CODE>(index=x 2202) OR (index=y 2203 client 77777) | spath "EventStreamData.requestContext.id" output=transaction_number | spath "EventStreamData.httpStatus" output=STATUS | spath "EventStreamData.response.transactionNumber" output=transaction_number | stats count AS "COUNT" by transaction_number STATUS | eval STATUS_MESSAGE= case(like(STATUS,"2%"), "Success" ,like(STATUS,"5%") OR (STATUS==404), "Server Error",like(STATUS,"4%") ,"Client Error" ,true() ,"Other Error") | table STATUS_MESSAGE, STATUS, COUNT | fields STATUS_MESSAGE, STATUS, COUNT | addcoltotals COUNT </CODE></PRE> <P>Is this OK?</P> Thu, 27 Feb 2020 11:32:47 GMT https://community.splunk.com/t5/Splunk-Search/Alternative-solution-for-join-with-bad-performance/m-p/483377#M135335 to4kawa 2020-02-27T11:32:47Z https://community.splunk.com/t5/Splunk-Search/Alternative-solution-for-join-with-bad-performance/m-p/483378#M135336 <P>Both of the above queries worked but it was giving response by transaction_number and not the total based on STATUS. <BR /> Adding - stats count as "COUNT" by STATUS_MESSAGE, STATUS to both returns an expected response. </P> <P>Thanks <a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/208401">@masonmorales</a> and <a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/184221">@to4kawa</a>.</P> <P>Query-<BR /> (index=x 2202) OR (index=y 2203 client 77777) <BR /> | spath "EventStreamData.requestContext.id" output=transaction_number <BR /> | spath "EventStreamData.httpStatus" output=STATUS <BR /> | spath "EventStreamData.response.transactionNumber" output=transaction_number <BR /> | stats count AS "COUNT_BY_TX" by transaction_number STATUS<BR /> | eval STATUS_MESSAGE= case(like(STATUS,"2%"), "Success"<BR /> ,like(STATUS,"5%") OR (STATUS==404), "Server Error",like(STATUS,"4%") ,"Client Error" ,true() ,"Other Error") <BR /> <STRONG>| stats count as "COUNT" by STATUS_MESSAGE, STATUS</STRONG> <BR /> | table STATUS_MESSAGE, STATUS, COUNT<BR /> | fields STATUS_MESSAGE, STATUS, COUNT<BR /> | addcoltotals COUNT</P> Wed, 30 Sep 2020 04:25:33 GMT https://community.splunk.com/t5/Splunk-Search/Alternative-solution-for-join-with-bad-performance/m-p/483378#M135336 amdhindsa 2020-09-30T04:25:33Z