topic Re: How do I optimize my search? in Splunk Search

How do I optimize my search?

jkalra — Fri, 03 Jun 2016 13:50:08 GMT

I have the following search and takes a lot of time to output data. Is there a way to optimize the search?

eventtype=aos_deployment_1_openam_session_start | timechart count as "Auth Start" | appendcols[| search eventtype=aos_deployment_1_openam_session_end | timechart count as "Auth Completion"] | appendcols[| search eventtype=aos_deployment_1_openam_session_failed | timechart count as "Failed Auth"] | fillnull value=0

Re: How do I optimize my search?

sundareshr — Fri, 03 Jun 2016 14:02:59 GMT

Try this

eventtype=aos_deployment_1_openam_session_start OR eventtype=aos_deployment_1_openam_session_end OR eventtype=aos_deployment_1_openam_session_failed | eval et=split(eventtype, "_") | eval status=mvindex(et, mvcount(et)-1) | stats count by status | rename start AS "Auth Start" end AS "Auth Completion" failed AS "Failed Auth"

Re: How do I optimize my search?

somesoni2 — Fri, 03 Jun 2016 14:11:32 GMT

Give this a try

eventtype=aos_deployment_1_openam_session_start OR eventtype=aos_deployment_1_openam_session_end OR eventtype=aos_deployment_1_openam_session_failed | timechart count by eventtype | fillnull value=0
| rename aos_deployment_1_openam_session_start as "Auth Start" aos_deployment_1_openam_session_end as  "Auth Completion" aos_deployment_1_openam_session_failed as "Failed Auth"
| table _time  "Auth Start" "Auth Completion"  "Failed Auth"

Re: How do I optimize my search?

jkalra — Fri, 03 Jun 2016 15:45:53 GMT

This one gives me no output other than the _time. Plus it takes longer than before 🙂

Re: How do I optimize my search?

jkalra — Fri, 03 Jun 2016 15:48:37 GMT

Thanks Somesh.... Unfortunately this takes a lot of time to execute and also there was a correction in timechart count(eventtype).

Could this because my eventtypes are not optimized?

Re: How do I optimize my search?

somesoni2 — Fri, 03 Jun 2016 15:51:12 GMT

My bad. The correct timechart command was "timechart count by eventtype".

My experience with eventtype haven't been great as they always slow my queries. What is your eventtype definition? Some time it's better to create a macro with same definition then eventtype.

Re: How do I optimize my search?

jkalra — Fri, 03 Jun 2016 16:03:39 GMT

Thats a nice pointer.....can you provide a link on how to create a macro?.
This is what my eventtype looks like

index=cams sourcetype=log4j source=*/aos/aos-audit* deployment_id=1 action="AOS-OPENAM-SESSION" status=START

Can we convert this to a macro?

Re: How do I optimize my search?

somesoni2 — Fri, 03 Jun 2016 16:05:48 GMT

We surely can. Have a look at this
http://docs.splunk.com/Documentation/Splunk/6.4.1/Knowledge/Definesearchmacros

Re: How do I optimize my search?

jkalra — Fri, 03 Jun 2016 19:43:22 GMT

I downvoted this post because sorry, but this does not give me the desired result . the output i need is failed auth , auth start & auth completion. your search gives me the total counts