https://community.splunk.com/t5/Splunk-Search/Getting-a-list-of-unique-IDs-from-a-large-data-set-efficiently/m-p/574112#M200077 <P>I would combine the first and last.</P><LI-CODE lang="markup">index=abc ID=* | fields ID | stats count by ID</LI-CODE><P>If the ID field is indexed then <FONT face="courier new,courier">tstats</FONT> would be more efficient.</P><LI-CODE lang="markup">| tstats count where index=abc by ID</LI-CODE><P>&nbsp;</P> Tue, 09 Nov 2021 01:11:25 GMT richgalloway 2021-11-09T01:11:25Z https://community.splunk.com/t5/Splunk-Search/Getting-a-list-of-unique-IDs-from-a-large-data-set-efficiently/m-p/574091#M200071 <P>We have a relatively small set of devices that emit daily in the vicinity of a million events each.&nbsp; Each device has unique ID (Serial #) which is included in events.</P><P>What would be an efficient method of collecting a list of unique IDs?&nbsp;<BR /><BR />index=abc | stats count by ID&nbsp;&nbsp;<BR /><BR />index=abc | stats values(id) as IDs | mvexpand IDs<BR /><BR />index-abc | fields ID | dedup ID</P><P>Anything else?</P><P>&nbsp;</P> Mon, 08 Nov 2021 21:55:28 GMT https://community.splunk.com/t5/Splunk-Search/Getting-a-list-of-unique-IDs-from-a-large-data-set-efficiently/m-p/574091#M200071 pm771 2021-11-08T21:55:28Z https://community.splunk.com/t5/Splunk-Search/Getting-a-list-of-unique-IDs-from-a-large-data-set-efficiently/m-p/574112#M200077 <P>I would combine the first and last.</P><LI-CODE lang="markup">index=abc ID=* | fields ID | stats count by ID</LI-CODE><P>If the ID field is indexed then <FONT face="courier new,courier">tstats</FONT> would be more efficient.</P><LI-CODE lang="markup">| tstats count where index=abc by ID</LI-CODE><P>&nbsp;</P> Tue, 09 Nov 2021 01:11:25 GMT https://community.splunk.com/t5/Splunk-Search/Getting-a-list-of-unique-IDs-from-a-large-data-set-efficiently/m-p/574112#M200077 richgalloway 2021-11-09T01:11:25Z https://community.splunk.com/t5/Splunk-Search/Getting-a-list-of-unique-IDs-from-a-large-data-set-efficiently/m-p/574133#M200089 <P>In terms of efficiency, the stats command is _likely_ to be the most efficient. However, make sure you put as many filter criteria in the initial search as possible. For example if each device produces different types of event and you know it always makes an event with a type=X then include that type filter in the search, so it will not search ALL events produced by the device, only the limited subset.</P><P>The job inspector should give you a good idea as to which is the most efficient in your environment.</P><P>As&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/213957">@richgalloway</a>&nbsp; says, if your ID field is indexed, then tstats will be by far, the most efficient way of collecting the list of ids, at the expense of some extra disk space to index that field for each event.</P><P>&nbsp;</P> Tue, 09 Nov 2021 06:19:05 GMT https://community.splunk.com/t5/Splunk-Search/Getting-a-list-of-unique-IDs-from-a-large-data-set-efficiently/m-p/574133#M200089 bowesmana 2021-11-09T06:19:05Z https://community.splunk.com/t5/Splunk-Search/Getting-a-list-of-unique-IDs-from-a-large-data-set-efficiently/m-p/574136#M200092 <P>As usually this depends and the best way to check which one is best for your particular case is to use Job inspector as&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/6367">@bowesmana</a>&nbsp;already said. Time by time dedup can be more efficient than stats (which is efficient in most of cases).</P><P>r. Ismo</P> Tue, 09 Nov 2021 06:30:02 GMT https://community.splunk.com/t5/Splunk-Search/Getting-a-list-of-unique-IDs-from-a-large-data-set-efficiently/m-p/574136#M200092 isoutamo 2021-11-09T06:30:02Z https://community.splunk.com/t5/Splunk-Search/Getting-a-list-of-unique-IDs-from-a-large-data-set-efficiently/m-p/574223#M200118 <P><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/213957">@richgalloway</a>&nbsp;<BR /><BR />I understand <FONT face="andale mono,times" color="#0000FF">ID=*</FONT> part.&nbsp; &nbsp;Why would I needs <FONT color="#0000FF">fields</FONT> before <FONT color="#0000FF">stats</FONT>?<BR /><BR />Can you please explain?</P> Tue, 09 Nov 2021 15:52:20 GMT https://community.splunk.com/t5/Splunk-Search/Getting-a-list-of-unique-IDs-from-a-large-data-set-efficiently/m-p/574223#M200118 pm771 2021-11-09T15:52:20Z https://community.splunk.com/t5/Splunk-Search/Getting-a-list-of-unique-IDs-from-a-large-data-set-efficiently/m-p/574240#M200123 <P>The <FONT face="courier new,courier">fields</FONT> command reduces the amount of data being processed.&nbsp; It probably is not of much benefit in this example, but is something to keep in mind when thinking about performance.</P> Tue, 09 Nov 2021 16:34:39 GMT https://community.splunk.com/t5/Splunk-Search/Getting-a-list-of-unique-IDs-from-a-large-data-set-efficiently/m-p/574240#M200123 richgalloway 2021-11-09T16:34:39Z https://community.splunk.com/t5/Splunk-Search/Getting-a-list-of-unique-IDs-from-a-large-data-set-efficiently/m-p/574288#M200134 <P>As&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/213957">@richgalloway</a>&nbsp;says, <STRONG>fields</STRONG> is a useful command, particularly when dealing with large data sets, as it instructs the search to remove unwanted data from the event, thus improving efficiency.</P><P>An important point about <STRONG>fields</STRONG> is that it typically runs on the indexer before the data is returned to a search head, so it can be very important in minimising the data flow through the Splunk environment, therefore improving your search performance, but also having less impact on others' search performance.</P><P>&nbsp;</P> Tue, 09 Nov 2021 21:08:44 GMT https://community.splunk.com/t5/Splunk-Search/Getting-a-list-of-unique-IDs-from-a-large-data-set-efficiently/m-p/574288#M200134 bowesmana 2021-11-09T21:08:44Z