https://community.splunk.com/t5/Splunk-Search/query-running-using-KV-store-is-taking-logn-time/m-p/490301#M136920 <P>Sorry but the one you suggested changes our requirement.</P> <P>We are trying to use automatic lookups , so that we can enhance data faster</P> Wed, 27 Nov 2019 12:40:39 GMT vikashperiwal 2019-11-27T12:40:39Z https://community.splunk.com/t5/Splunk-Search/query-running-using-KV-store-is-taking-logn-time/m-p/490298#M136917 <P>Hi , </P> <P>I have a scenario where i am using KV store to get the events generated. But my query is taking 5hr to run which is unexpected .</P> <P>Please let me know way to improve the query optimization.<BR /> index=ndspr sourcetype=ISUP_EVENT_ACCESS_VW ------ 5M events<BR /> lookup (lookup core_ip_voice_keystore )had -- 6,00,000</P> <P>Total events triggered 5M</P> <P>Query-----</P> <P>index=ndspr sourcetype=ISUP_EVENT_ACCESS_VW <BR /> | lookup core_ip_voice_keystore DPC as N OPC as O CIC as K OUTPUT OPC DPC CIC ADNUM ADMININF NETNAME ROUTESET TRKGRSIZ <BR /> |fields A B C D E F K N O OPC DPC CIC ADNUM ADMININF NETNAME ROUTESET TRKGRSIZ<BR /> | search OPC=* <BR /> | table A B C D E F K N O OPC DPC CIC ADNUM ADMININF NETNAME ROUTESET TRKGRSIZ</P> Wed, 30 Sep 2020 03:04:42 GMT https://community.splunk.com/t5/Splunk-Search/query-running-using-KV-store-is-taking-logn-time/m-p/490298#M136917 vikashperiwal 2020-09-30T03:04:42Z https://community.splunk.com/t5/Splunk-Search/query-running-using-KV-store-is-taking-logn-time/m-p/490299#M136918 <PRE><CODE>index=ndspr sourcetype=ISUP_EVENT_ACCESS_VW | eval DPC=N, OPC=O, CIC=K | inputlookup append=t core_ip_voice_keystore | table A B C D E F K N O OPC DPC CIC ADNUM ADMININF NETNAME ROUTESET TRKGRSIZ </CODE></PRE> <P>Hi, @vikashperiwal<BR /> Since <CODE>inputlookup</CODE> is used with <CODE>append = t</CODE> , <CODE>search OPC = *</CODE> is not necessary.<BR /> How about it?</P> Tue, 26 Nov 2019 11:23:23 GMT https://community.splunk.com/t5/Splunk-Search/query-running-using-KV-store-is-taking-logn-time/m-p/490299#M136918 to4kawa 2019-11-26T11:23:23Z https://community.splunk.com/t5/Splunk-Search/query-running-using-KV-store-is-taking-logn-time/m-p/490300#M136919 <P>Hi, @vikashperiwal<BR /> If this is still slow, you should consider creating a data model.<BR /> I don't know about data model, so please ask again. </P> Wed, 27 Nov 2019 12:18:17 GMT https://community.splunk.com/t5/Splunk-Search/query-running-using-KV-store-is-taking-logn-time/m-p/490300#M136919 to4kawa 2019-11-27T12:18:17Z https://community.splunk.com/t5/Splunk-Search/query-running-using-KV-store-is-taking-logn-time/m-p/490301#M136920 <P>Sorry but the one you suggested changes our requirement.</P> <P>We are trying to use automatic lookups , so that we can enhance data faster</P> Wed, 27 Nov 2019 12:40:39 GMT https://community.splunk.com/t5/Splunk-Search/query-running-using-KV-store-is-taking-logn-time/m-p/490301#M136920 vikashperiwal 2019-11-27T12:40:39Z https://community.splunk.com/t5/Splunk-Search/query-running-using-KV-store-is-taking-logn-time/m-p/490302#M136921 <P>Try moving the filter for OPC to the base search</P> <PRE><CODE>index=ndspr sourcetype=ISUP_EVENT_ACCESS_VW O=* | lookup core_ip_voice_keystore DPC as N OPC as O CIC as K OUTPUT OPC DPC CIC ADNUM ADMININF NETNAME ROUTESET TRKGRSIZ | table A B C D E F K N O OPC DPC CIC ADNUM ADMININF NETNAME ROUTESET TRKGRSIZ </CODE></PRE> <P>If you need to configure automatic time lookup, use the following doc for reference <A href="https://docs.splunk.com/Documentation/Splunk/8.0.0/Knowledge/Makeyourlookupautomatic#Example_configuration_of_an_automatic_KV_Store_lookup">https://docs.splunk.com/Documentation/Splunk/8.0.0/Knowledge/Makeyourlookupautomatic#Example_configuration_of_an_automatic_KV_Store_lookup</A></P> <P>In your case.</P> <PRE><CODE>[ISUP_EVENT_ACCESS_VW] LOOKUP-core_ip_voice_keystore = core_ip_voice_keystore DPC as N OPC as O CIC as K OUTPUT OPC DPC CIC ADNUM ADMININF NETNAME ROUTESET TRKGRSIZ </CODE></PRE> <P>And the your search would be.</P> <PRE><CODE> index=ndspr sourcetype=ISUP_EVENT_ACCESS_VW OPC=* | table A B C D E F K N O OPC DPC CIC ADNUM ADMININF NETNAME ROUTESET TRKGRSIZ </CODE></PRE> Wed, 27 Nov 2019 13:21:10 GMT https://community.splunk.com/t5/Splunk-Search/query-running-using-KV-store-is-taking-logn-time/m-p/490302#M136921 arjunpkishore5 2019-11-27T13:21:10Z