Archive
Highlighted

Base and post process search

Loves-to-Learn

Can someone help me in understanding the actual use of base and post process searches please.
And I would also like to know if streamstats and eventstats will be recommended as transforming commands in base searches and will there be any performance issue in using them

0 Karma
Highlighted

Re: Base and post process search

Ultra Champion
0 Karma
Highlighted

Re: Base and post process search

Legend

To be specific Post Processing Best Practices.

The reason for use of transforming commands in base search is so that you reduce the number of rows by using some aggregation field/s and have base search pull only required (reduced) rows and colums. However, if only eventstats and streamstats are used you will still have original no. or rows and will not be reducing the total number of events.

As far as performance is concerned depends upon factors like:
1. Your Splunk environment specs and configs
2. How much data is getting pulled in your base search.
3. Use loadjob vs. post-processing.
4. Other Acceleration techniques like metrics index, data model acceleration etc.

0 Karma
Speak Up for Splunk Careers!

We want to better understand the impact Splunk experience and expertise has has on individuals' careers, and help highlight the growing demand for Splunk skills.