https://community.splunk.com/t5/Splunk-Search/Optimizing-the-search/m-p/680614#M232635 <P>and there is a basic problem with that search anyway, which is that you are using a field called "<STRONG>count</STRONG>", which does not exist - your timechart will produce a field called <STRONG>dc(symbol)</STRONG>. I assume that is a typo and that your real search does <STRONG>dc(symbol) as count</STRONG></P><P>&nbsp;</P> Wed, 13 Mar 2024 22:55:33 GMT bowesmana 2024-03-13T22:55:33Z https://community.splunk.com/t5/Splunk-Search/Optimizing-the-search/m-p/680581#M232619 <P>Hi All,</P> <P>&nbsp;</P> <P>How can I optimize the below query? Can we convert it to tstats?</P> <P>&nbsp;</P> <LI-CODE lang="markup">index=abc host=def* stalled | rex field=_raw "symbol (?&lt;symbol&gt;.*) /" | eval hourofday = strftime(_time, "%H") | where NOT (hourofday&gt;2 AND hourofday &lt;= 4) | timechart dc(symbol) span=15m | eventstats avg("count") as avg stdev("count") as stdev | eval lowerBound=-1, upperBound=(avg+stdev*exact(4)) | eval isOutlier=if('count' &lt; lowerBound OR 'count' &gt; upperBound, 1, 0) | fields _time, "count", lowerBound, upperBound, isOutlier, * | sort -_time | head 1 | where isOutlier=1</LI-CODE> Wed, 13 Mar 2024 18:25:22 GMT https://community.splunk.com/t5/Splunk-Search/Optimizing-the-search/m-p/680581#M232619 abhi04 2024-03-13T18:25:22Z https://community.splunk.com/t5/Splunk-Search/Optimizing-the-search/m-p/680613#M232634 <P>&nbsp;</P><P>Use TERM(stalled), as that will help filter the initial data volume retrieved</P><P>The order of commands is important - you are doing the rex before the hour constraint - change the order.</P><P>You may already have a field called date_hour (it is often extracted by default - check). If so you can put that in the search&nbsp;</P><LI-CODE lang="markup">index=abc host=def* stalled (date_hour &lt; 3 OR date_hour &gt; 4) | rex field=_raw "symbol (?&lt;symbol&gt;.*) /" | timechart dc(symbol) span=15m</LI-CODE><P>Replace the NOT with a positive constraint, i.e. check that the hour is &lt; 3 or &gt; 4 rather than NOT &gt;2 AND &lt;4</P><P>You can't convert it to tstats unless symbol becomes an indexed field.</P><P>&nbsp;</P> Wed, 13 Mar 2024 22:53:31 GMT https://community.splunk.com/t5/Splunk-Search/Optimizing-the-search/m-p/680613#M232634 bowesmana 2024-03-13T22:53:31Z https://community.splunk.com/t5/Splunk-Search/Optimizing-the-search/m-p/680614#M232635 <P>and there is a basic problem with that search anyway, which is that you are using a field called "<STRONG>count</STRONG>", which does not exist - your timechart will produce a field called <STRONG>dc(symbol)</STRONG>. I assume that is a typo and that your real search does <STRONG>dc(symbol) as count</STRONG></P><P>&nbsp;</P> Wed, 13 Mar 2024 22:55:33 GMT https://community.splunk.com/t5/Splunk-Search/Optimizing-the-search/m-p/680614#M232635 bowesmana 2024-03-13T22:55:33Z https://community.splunk.com/t5/Splunk-Search/Optimizing-the-search/m-p/680623#M232641 <P>This is awesome, thanks <a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/6367">@bowesmana</a>&nbsp;. And, yes, it was a type for the "count" <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> Thu, 14 Mar 2024 00:46:55 GMT https://community.splunk.com/t5/Splunk-Search/Optimizing-the-search/m-p/680623#M232641 abhi04 2024-03-14T00:46:55Z