Archive
Highlighted

How to reduce number of joins?

Engager

I have a query like this

index=abc sourcetype=xyz|table "something"|join somethinh type=left[search index =abc sourcetype=xyz|my query|]|table something|join something and it continues.

I have used 5-6 joins while writng the query and my performance got hampered.It takes around 300 seconds for parsing.Is there a way to reduce joins?if yes how?

Thanks in advance

Tags (1)
0 Karma
Highlighted

Re: How to reduce number of joins?

SplunkTrust
SplunkTrust

That question is so common that there are several prepared solutions 😄

short, text: https://answers.splunk.com/answers/129424/how-to-compare-fields-over-multiple-sourcetypes-without-jo...

long, full talk: https://wiki.splunk.com/Virtual_.conf March 2016 "Best practices around grouping and aggregating data from different search results"
.conf version: http://conf.splunk.com/files/2016/recordings/let-stats-sort-them-out-building-complex-result-sets-th...