topic Re: Post process search in Splunk Search

Post process search

akhil36109 — Tue, 17 Apr 2018 18:49:58 GMT

I have two searches

I have a dashboard with two panels.

1st panel has a query search1 join type=outer[search 2 ] to get a table of results

2nd panel has a query search2 join type=outer [search 1 ] to get a table of results

I did the above thing because they both give diff results and I need both of them.

is there any way to optimize my dashboard??

Re: Post process search

DalJeanis — Tue, 17 Apr 2018 19:55:41 GMT

The only way we can help you is with more information. If you post the actual searches, then we can help you either optimize them or help you rethink it.

Your search can probably be refactored into something like this

(search 1) OR (search 2)
|  fields whatever.fields.you.want.from.either.type
| eval rectype=if(test.that.this.is.a.search.one,"search 1","search 2")
| stats values(*) as * by whatever.your.key.match.fields.are
| table whatever.your.key.match.fields.are rectype whatever.fields.you.want.from.either.type

Field rectype will be a multivalue field. If both types of records were found, then mvcount(rectype) will be 2. If mvcount(rectype) is 1, then rectype will be either "search 1" or "search 2", indicating the type of record that was present, with the other type being absent.

Re: Post process search

TISKAR — Tue, 17 Apr 2018 20:26:26 GMT

Hey,

To optimase your search you can use base search define here:

https://answers.splunk.com/answers/239159/multiple-base-searches-in-a-dasboard-with-post-pro.html

for example:

1. Define a base search:

       <search id="base_search">  <query >search1 join type=outer[search 2 ] </query></search>

    2. Use the base search like:

      <search base="base_search"><query>\example\ | stats count .....</query></search>
      <search base="base_search"><query>your_seconde_query</query></search>

Re: Post process search

akhil36109 — Tue, 29 Sep 2020 19:04:20 GMT

Search 1 is :
index=reportstore earliest=-28d@d latest=@d sourcetype=reportstore_logs host=denver
| eval ReportCreatedDate=strftime(ReportCreatedDate, "%D %T")
| stats first(ReportCreatedDate) AS ReportCreatedDate by report_id
| rename report_id as reportname

search 2 is......... It has already a join in it but I still take this is as one search :

By joining search 1 type=outer [search 2 ] gives me Extra reports which are present in search1 and not present in search2

By joining search 2 type=outer [search 1 ] gives me missing reports which are present in search2 and not present in search1

Re: Post process search

akhil36109 — Tue, 29 Sep 2020 19:04:23 GMT

The Full Searches:

first one;

index=reportstore earliest=-28d@d latest=@d sourcetype=reportstore_logs host=denver
| eval ReportCreatedDate=strftime(ReportCreatedDate, "%D %T")
| stats first(ReportCreatedDate) AS ReportCreatedDate by report_id
| rename report_id as reportname
| join type=outer reportname
[ index=offered_reports earliest=1522540800 sourcetype=splunkoffer Server_Name=denver
| table offer
| dedup offer
| eval offer=lower(offer)
| rename offer as Offer_Given
| join max=0 Offer_Given
[ search index=offered_reports earliest=1522540800 Master="master_splunk"
| eval Offer_Given=lower(Offer_Given) ]
| dedup reportname time_interval
| table reportname time_interval ]
| table reportname,time_interval,ReportCreatedDate
| fillnull value="Extra_reports"

Second one:

index=offered_reports earliest=1522540800 sourcetype=splunkoffer Server_Name=denver
| table offer
| dedup offer
| eval offer=lower(offer)
| rename offer as Offer_Given
| join max=0 Offer_Given
[ search index=offered_reports earliest=1522540800 Master="master_splunk"
| eval Offer_Given=lower(Offer_Given) ]
| dedup reportname time_interval
| table reportname time_interval
| rename reportname as report_guid
| join type=outer report_guid[search index=reportstore earliest=-28d@d latest=@d sourcetype=reportstore_logs host=denver
| eval ReportCreatedDate=strftime(ReportCreatedDate, "%D %T")
| stats first(ReportCreatedDate) AS ReportCreatedDate by report_id ]
| table report_guid,time_interval,ReportCreatedDate
| fillnull value="Missing"