topic Re: Better search query way in terms of performance in Splunk Search

Better search query way in terms of performance

N92 — Tue, 03 Sep 2019 13:38:41 GMT

I have below search criteria so let me know best way for this.

base search (which have output in table format) [table sourcetype def ghi]
sourcetype= 1 check with static lookup and store respective result in "ghi" field
sourcetype= 2 check with static lookup and store respective result in "ghi" field

Re: Better search query way in terms of performance

jpolvino — Tue, 03 Sep 2019 13:47:11 GMT

Can you please provide samples of what your table represents, and what you want to do with the two sourcetype lines you mention?

Re: Better search query way in terms of performance

somesoni2 — Tue, 03 Sep 2019 14:00:09 GMT

Give this a try

your base search
| lookup yourSourcetype1lookup.csv fieldName OUTPUT ghi as ghi1
| lookup yourSourcetype2lookup.csv fieldName OUTPUT ghi as ghi2
| eval ghi=iff(sourcetype="sourcetype1", ghi1,ghi2) | fields - ghi1 ghi2

Re: Better search query way in terms of performance

N92 — Wed, 30 Sep 2020 01:58:43 GMT

| table dest user source sourcetype result
| lookup users.csv users as user OUTPUT host_name as result
| lookup users.csv source as user OUTPUT host_name as result

For both the lookup condition I am try to distinguish with sourcetype condition.

Re: Better search query way in terms of performance

N92 — Tue, 03 Sep 2019 15:42:54 GMT

It works. Thanks @somesoni2

Re: Better search query way in terms of performance

tscroggins — Wed, 30 Sep 2020 01:58:52 GMT

Create a simple lookup file, e.g. sourcetype_ghi_lookup.csv, with two fields, sourcetype and ghi. E.g. For sourcetype=1 and sourcetype=2:

sourcetype,ghi
1,"some ghi value"
2,"another ghi value"

| lookup sourcetype_ghi_lookup.csv sourcetype output ghi

You can use the file in both a lookup and automatic lookup definition to omit the lookup command in searches and populate the ghi field automatically.