topic Re: How can we optimize our current search? in Splunk Search https://community.splunk.com/t5/Splunk-Search/How-can-we-optimize-our-current-search/m-p/213642#M62676 <P>Hi anantdeshpande,<BR /> in your question there is a visualization problem of the regex, you have to format your search as Code.<BR /> Every way, you can build your search in this way:</P> <PRE><CODE>index= idx_prod sourcetype=SRC1 OR sourcetype=SRC2 OR sourcetype=SRC3 OR sourcetype=SRC4 OR (sourcetype=SRC5 "$TXN_ID$") OR (sourcetype=SRC6 "$TXN_ID$") | rex "regex1" | rex "regex2" | rex "regex3" | rex "regex4" | search TXN_ID = "$TXN_ID$" | ... </CODE></PRE> <P>Bye.<BR /> Giuseppe</P> Wed, 04 Jan 2017 12:09:12 GMT gcusello 2017-01-04T12:09:12Z How can we optimize our current search? https://community.splunk.com/t5/Splunk-Search/How-can-we-optimize-our-current-search/m-p/213641#M62675 <P>We want to optimize below query as it's taking 4 Min to execute. </P> <PRE><CODE>index= idx_prod sourcetype=SRC1 "Sent message:" | rex "Sent message: \w\d+\s+\d(?.\d{6}\s+"] | rex "Sent Mgs:\w\d+\s+\d+\s+\d+{4}(?.[A-Z 0-9]{14})" | search TXN_ID = "$TXN_ID$" | join type=outer AIREF_ID [search index= idx_prod sourcetype= SRC2 "Airef Number" | rex "Airef Number\s+\w\d+(?&lt; AIREF_ID &gt;.\d{6}\s+\s" ] | join type=outer AIREF_ID [search index = idx_prod sourcetype =SRC3 " Airef Number " | rex "Airef Number\s+\w\d+(?&lt; AIREF_ID &gt;.\d{6}\s+\s" ] | join type=outer AIREF_ID [search index= idx_prod sourcetype = SRC4 “orig mq Content" |rex mq Content\s+\=\s+\w\d+(?&lt; AIREF_ID &gt;.\d{6})ACK” ] |append [search index= idx_prod sourcetype=SRC5 "$TXN_ID$" ] |append [search index= idx_prod sourcetype=SRC6 "$TXN_ID$" ] </CODE></PRE> <P>Query works as below:<BR /> 1) This query is part of drill-down dashboard. TRAN_ID is passed as token on this dashboard. <BR /> 2) First query: Extracts AIREF_ID &amp; TRAN_ID. This is the only event where we both ID are present.[search TXN_ID = "$TXN_ID$"] searches for the event where TRAN_ID matches.<BR /> 3) Join queries: Extracts AIREF_ID and joins with 1st query. <BR /> 4) Append queries: Searches events for having TXN_ID and appends with 1st query. </P> <P>How we want to optimize the search:<BR /> 1) Want to avoid joins.<BR /> 2) How can we extract &amp; pass AIREF_ID as token in the same dashboard. Something like Run 1st query in the background, extract AIREF_ID &amp; pass it as token in the panel.<BR /> 3) Does sub-search instead of join will improve performance?</P> Tue, 29 Sep 2020 12:15:14 GMT https://community.splunk.com/t5/Splunk-Search/How-can-we-optimize-our-current-search/m-p/213641#M62675 anantdeshpande 2020-09-29T12:15:14Z Re: How can we optimize our current search? https://community.splunk.com/t5/Splunk-Search/How-can-we-optimize-our-current-search/m-p/213642#M62676 <P>Hi anantdeshpande,<BR /> in your question there is a visualization problem of the regex, you have to format your search as Code.<BR /> Every way, you can build your search in this way:</P> <PRE><CODE>index= idx_prod sourcetype=SRC1 OR sourcetype=SRC2 OR sourcetype=SRC3 OR sourcetype=SRC4 OR (sourcetype=SRC5 "$TXN_ID$") OR (sourcetype=SRC6 "$TXN_ID$") | rex "regex1" | rex "regex2" | rex "regex3" | rex "regex4" | search TXN_ID = "$TXN_ID$" | ... </CODE></PRE> <P>Bye.<BR /> Giuseppe</P> Wed, 04 Jan 2017 12:09:12 GMT https://community.splunk.com/t5/Splunk-Search/How-can-we-optimize-our-current-search/m-p/213642#M62676 gcusello 2017-01-04T12:09:12Z