topic Re: table order with eval in Splunk Search

table order with eval

mikesangray — Wed, 30 Dec 2015 16:18:48 GMT

I've got a search that does a |table prior to doing an |eval for ldapfilter. The search results are displayed in a seemingly random order (not the order specified after |table). Is there a better way to do this so I can specify the results display order?

index=blah |table _time,UserName,displayName,IpAddress |eval ID=UserName |ldapfilter search="(&(samAccountName=$ID$))" attrs="displayName"

Note: For some reason doing the order of |table vs. |eval |ldapfilter heavily impacts search performance.

Faster (11-12 secs):

index=blah |table _time,UserName,displayName,IpAddress |eval ID=UserName |ldapfilter search="(&(samAccountName=$ID$))" attrs="displayName"

Much slower (116-117 secs):

index=blah |eval ID=UserName |ldapfilter search="(&(samAccountName=$ID$))" attrs="displayName" |table _time,UserName,displayName,IpAddress

Re: table order with eval

richgalloway — Wed, 30 Dec 2015 16:27:06 GMT

Do your events have a large number of fields? If so, that might explain the performance difference as the table command would reduce the number of fields to process. Try this:

index=blah |fields _time,UserName,displayName,IpAddress | eval ID=UserName |ldapfilter search="(&(samAccountName=$ID$))" attrs="displayName" |table _time,UserName,displayName,IpAddress

Re: table order with eval

mikesangray — Wed, 30 Dec 2015 16:49:46 GMT

Not a large number of fields - only 24 including host, source, and sourcetype. Putting |fields in did not help.

Here are the results from job inspector for 'command.ldapfilter'.