We have this standard query -
index=<index name> sourcetype=*prod clientID=*aaa OR clientID=bbbb OR clientID=*ccc OR clientID=*ddd
| stats count by clientID apiName
| eval applicationName=case(
clientID="<client_id>", "<nicer name>",
....)
| fields - clientID
| fields applicationName apiName count
| sort applicationName
Are there more performant options for such a query?
if those are indexed extractions (at index or using datamodel acceleration) you can do this:
| tstats count where index=<index name> sourcetype=*prod clientID=*aaa OR clientID=bbbb OR clientID=*ccc OR clientID=*ddd by clientID apiName
| eval applicationName=case(
clientID="<client_id>", "<nicer name>",
....)
| fields - clientID
| fields applicationName apiName count
| sort applicationName
if those are indexed extractions (at index or using datamodel acceleration) you can do this:
| tstats count where index=<index name> sourcetype=*prod clientID=*aaa OR clientID=bbbb OR clientID=*ccc OR clientID=*ddd by clientID apiName
| eval applicationName=case(
clientID="<client_id>", "<nicer name>",
....)
| fields - clientID
| fields applicationName apiName count
| sort applicationName
Much appreciated @adonio.
Very interesting @adonio - thank you.
i MAY be mistaken, but if you put fields at the beginning, it might be helpful, so splunk only grabs relevant fields and isn't looking at anything else.
index=
| fields clientID apiName
| stats count by clientID apiName
| eval applicationName=case(clientID="
| fields - clientID
| sort applicationName
Makes perfect sense @cmerriman!!