topic Re: Need to modify the search by eliminating append commands.is it possible? in Splunk Search

Need to modify the search by eliminating append commands.is it possible?

Veeru — Thu, 13 Jan 2022 13:01:07 GMT

index IN (A,B) sourcetype IN (A,B) earliest=-12h latest=@m
| transaction UUID keepevicted=true
| eval ReportKey="Today"
| append [search index IN (A,B) sourcetype IN (A,B) earliest=-12h-1w latest=@m-1w
| transaction UUID keepevicted=true
| eval ReportKey="LastWeek"
| eval _time=_time+60*60*24*7]
| timechart span=30m count(linecount) as Volume by ReportKey | fields _time,Today,LastWeek

as this search taking more time to load so i am trying to modify the search can you please me with this.

Thanks in advance
Veerendra

Re: Need to modify the search by eliminating append commands.is it possible?

richgalloway — Thu, 13 Jan 2022 13:16:41 GMT

Are you sure it's append that's taking more time and not transaction? The transaction command tends to be more inefficient. Perhaps this will be a quicker way to plot volume.

index IN (A,B) sourcetype IN (A,B) earliest=-12h latest=@m | bin span=30m _time ```Count transactions by counting the number of unique UUID values``` | stats dc(UUID) by _time | eval ReportKey="Today" | append [search index IN (A,B) sourcetype IN (A,B) earliest=-12h-1w latest=@m-1w | bin span=30m _time | stats dc(UUID) by _time | eval ReportKey="LastWeek" | eval _time=_time+60*60*24*7] | timechart span=30m count as Volume by ReportKey

Re: Need to modify the search by eliminating append commands.is it possible?

Veeru — Thu, 13 Jan 2022 13:36:05 GMT

@richgalloway

But that gives me 0 count,it’s not giving me the exact results

Re: Need to modify the search by eliminating append commands.is it possible?

richgalloway — Thu, 13 Jan 2022 16:27:19 GMT

Let's break it down a little. Does this part produce correct results?

index IN (A,B) sourcetype IN (A,B) earliest=-12h latest=@m | bin span=30m _time | stats dc(UUID) by _time

Re: Need to modify the search by eliminating append commands.is it possible?

Veeru — Mon, 17 Jan 2022 09:39:25 GMT

Till stats count(uuid) is working but i want by reportkey

Re: Need to modify the search by eliminating append commands.is it possible?

Veeru — Mon, 17 Jan 2022 10:00:30 GMT

@richgalloway
Thanks for reply

index IN (A,B) sourcetype IN (A,B) earliest=-12h latest=@m
| bin span=30m _time
| stats dc(UUID) by _time

this giving exact results but when i append with but search i.e

index in (a,b) sourcetype in (a,b) earliest=-12h latest=@m

|bin span =30m _time

|stats dc(Uuid) as today by _time

|append[ |search index in (a,b) sourcetype in (a,b) earliest=-12h -1w latest=@m-1w

|eval _time=_time+60*60*24*14

|bin span =30m _time

|stats dc(Uuid) as lastweek by _time] |fields today,lastweek

In this query for today i am geeting exact output but for lastweek i am getting 0 results.

please help me out

thank you in advance

veeru

Re: Need to modify the search by eliminating append commands.is it possible?

richgalloway — Mon, 17 Jan 2022 17:57:05 GMT

The "IN" keyword must be capitalized. Also, consider using the relative_time function instead of maths.