https://community.splunk.com/t5/Splunk-Search/Efficient-searches-using-boolean-operators/m-p/132819#M184618 <P>I'm currently trying to optimize my searches to keep my Splunk searches as quick as possible. Is there any appreciable difference in search time or efficiency in the two following searches? My main point is, does condensed logic help make searches faster, or does it not matter in these cases?</P> <PRE><CODE>index=* NOT a NOT b NOT c</CODE></PRE> <PRE><CODE>index=* NOT (a OR b OR c)</CODE></PRE> <P>Both of these are logically equivalent because of the implied ANDs in the first query ((NOT a) AND (NOT b) AND (NOT c)), so I was curious if there was any major timing difference in the two queries.</P> Thu, 30 Jan 2014 22:46:59 GMT petermuller 2014-01-30T22:46:59Z https://community.splunk.com/t5/Splunk-Search/Efficient-searches-using-boolean-operators/m-p/132819#M184618 <P>I'm currently trying to optimize my searches to keep my Splunk searches as quick as possible. Is there any appreciable difference in search time or efficiency in the two following searches? My main point is, does condensed logic help make searches faster, or does it not matter in these cases?</P> <PRE><CODE>index=* NOT a NOT b NOT c</CODE></PRE> <PRE><CODE>index=* NOT (a OR b OR c)</CODE></PRE> <P>Both of these are logically equivalent because of the implied ANDs in the first query ((NOT a) AND (NOT b) AND (NOT c)), so I was curious if there was any major timing difference in the two queries.</P> Thu, 30 Jan 2014 22:46:59 GMT https://community.splunk.com/t5/Splunk-Search/Efficient-searches-using-boolean-operators/m-p/132819#M184618 petermuller 2014-01-30T22:46:59Z https://community.splunk.com/t5/Splunk-Search/Efficient-searches-using-boolean-operators/m-p/132820#M184619 <P>When you look at the search job inspector, you'll see debug messages at the very top. For both your examples they read the same:</P> <PRE><CODE>DEBUG: base lispy: [ AND [ NOT a ] [ NOT b ] [ NOT c ] index::* ] </CODE></PRE> <P>There cannot be a timing difference because Splunk's doing the same thing underneath.</P> <P>As a general optimization, the NOT operator can be slow in many situations. For example, when you run this:</P> <PRE><CODE>index=_internal NOT log_level=INFO </CODE></PRE> <P>You can see Splunk is scanning many events for only few matches. Looking at the debug info you see this:</P> <PRE><CODE>DEBUG: base lispy: [ AND index::_internal ] </CODE></PRE> <P>This means Splunk was not able to use any filter beyond selecting the index. That's because there's no word to look for that could be sped up by the index structure. Loading events without the word "info" wouldn't be correct, because it could appear elsewhere other than in the field log_level.</P> <P>On the other hand, running this search is faster:</P> <PRE><CODE>index=_internal NOT INFO </CODE></PRE> <P>The debug shows it's using some index structures to only look for events that don't have the word info in them, and avoids loading them off disk:</P> <PRE><CODE>DEBUG: base lispy: [ AND index::_internal [ NOT info ] ] </CODE></PRE> <P>These two searches obviously aren't equivalent.</P> Thu, 30 Jan 2014 23:12:12 GMT https://community.splunk.com/t5/Splunk-Search/Efficient-searches-using-boolean-operators/m-p/132820#M184619 martin_mueller 2014-01-30T23:12:12Z https://community.splunk.com/t5/Splunk-Search/Efficient-searches-using-boolean-operators/m-p/132821#M184620 <P>Thanks! I'll keep those in mind!</P> Thu, 30 Jan 2014 23:17:45 GMT https://community.splunk.com/t5/Splunk-Search/Efficient-searches-using-boolean-operators/m-p/132821#M184620 petermuller 2014-01-30T23:17:45Z