Archive

Reverse searching

Communicator

I need to find the very first occurence of data received with a specific field id.

I have this search which does the job:

sourcetype=stats device_id=94 | stats last(FileTime)

But Splunk searches from the newest event received to the oldest event received, which means that the search will take very long time to finish. (262 seconds)
And at this point we only have 3 month of data stored.
When we have 14 month of data stored (which we need) this will obviously be even more time consuming.

Is there any way to make Splunk search in reverse order?
And then stop searching when result is found?

Tags (1)
0 Karma

Champion

Why use stats, why not just use;

sourcetype=stats device_id=94 FileTime=* | tail 1

Also, if you're looking to do these sorts of searches over longer time periods then it would be worth looking at summary indexing to start taking summarisation data to save time in the future;

http://docs.splunk.com/Documentation/Splunk/5.0/Knowledge/Usesummaryindexing

0 Karma

Champion

In that case there isn't much you can do I'm afraid, thats imply how Splunk searches. stats last will be the best option if you're in a distributed environment.

0 Karma

Communicator

Thanks for the answer.
However, the search suggested is just as time consuming as mine, but delivers even more information which i dont need.

I agree that summary indexing could be a way to go, but i just think that it would be more efficient, to do the search "backwards" instead.

0 Karma