I have a query like this
index=abc sourcetype=xyz|table "something"|join somethinh type=left[search index =abc sourcetype=xyz|my query|]|table something|join something and it continues.
I have used 5-6 joins while writng the query and my performance got hampered.It takes around 300 seconds for parsing.Is there a way to reduce joins?if yes how?
Thanks in advance
That question is so common that there are several prepared solutions 😄
short, text: https://answers.splunk.com/answers/129424/how-to-compare-fields-over-multiple-sourcetypes-without-jo...
long, full talk: https://wiki.splunk.com/Virtual_.conf March 2016 "Best practices around grouping and aggregating data from different search results"
.conf version: http://conf.splunk.com/files/2016/recordings/let-stats-sort-them-out-building-complex-result-sets-th...