Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

I am combine two queries and calculating the percentage but.

rajhemant26
New Member
‎06-03-2018 11:17 PM

Hello everyone.

Want to display the output only for the time which crosses 18 months (earliest time)

Tags (1)
0 Karma
Reply

FrankVl
Ultra Champion
‎06-04-2018 02:16 AM

I took the liberty of editing your question, to put the search code as code, such that special characters like * don't disappear.

Couple of observations

  1. You're not just combining 2 queries, you're combining many more, with all those append statements
  2. You're using quite a few != filters, including also wildcards. Such negative filters are significantly slower than positive filters.
  3. You're pulling a lot of data together, doing some evals on different pieces. But in the end, all you do is a stats count as release1 which you then join with the second part, which ends with table Percent. Can you perhaps explain what you are trying to achieve here? It doesn't make a whole lot of sense to me.
  4. The search on the right side of your join calculates a percentage based on release2 - release1. But release1 is only defined on the left side of the join, so that calculation will never work like that. Shouldn't that last ] be before the | eval Percent... part?

So apart from the general remark on the != filters, I think we need some more explaining on what you are trying to achieve, before anyone can give a proper answer on how to improve your query.

0 Karma
Reply

martin_mueller
SplunkTrust
SplunkTrust
‎06-04-2018 02:16 AM

append and join aren't meant to be used like that.

earliest=1520640000 latest=1531526400 
(index=app host="prod*"  AND host= "*web*" OR host= "*wap*" _raw!="" AND _raw!="*sql*" AND exception!="*db2*" AND exception !="*solr*" error) OR
(index=app host="prod*" MQ _raw="*ERROR*" _raw!="*INFO*") OR
(index=app host="prod*" exception="*sql*" sqlserver OR db2) OR
(index=datatier riak sourcetype=kvs_console "\[error\]" host="prod*") OR
(index=datatier host="*prod*" source="*memsql*"  "ERROR") OR
(index=datatier OR index=app sourcetype="solr_log" SEVERE OR ERROR)
| stats count(eval(_time < 1526688000)) as release1 count(eval(_time >= 1526688000)) as release2 
| eval Percent = ((release2-release1)/ release1)*100  |table Percent

This will search your data in one go and count right away, instead of appending huge lists of raw data to each other

Reply

martin_mueller
SplunkTrust
SplunkTrust
‎06-05-2018 04:27 AM

The next step is to figure out which part is taking up too much time. Run each segment individually:

earliest=1520640000 latest=1531526400 
(index=app host="prod*"  AND host= "*web*" OR host= "*wap*" _raw!="" AND _raw!="*sql*" AND exception!="*db2*" AND exception !="*solr*" error)
| stats count

Post the resulting count plus these values from the job inspector: scan count, run duration (or run time?).

0 Karma
Reply
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...

New in Observability Cloud - Explicit Bucket Histograms

Splunk introduces native support for histograms as a metric data type within Observability Cloud with Explicit ...