I've got a search that does a |table
prior to doing an |eval
for ldapfilter
. The search results are displayed in a seemingly random order (not the order specified after |table
). Is there a better way to do this so I can specify the results display order?
index=blah |table _time,UserName,displayName,IpAddress |eval ID=UserName |ldapfilter search="(&(samAccountName=$ID$))" attrs="displayName"
Note: For some reason doing the order of |table
vs. |eval |ldapfilter
heavily impacts search performance.
Faster (11-12 secs):
index=blah |table _time,UserName,displayName,IpAddress |eval ID=UserName |ldapfilter search="(&(samAccountName=$ID$))" attrs="displayName"
Much slower (116-117 secs):
index=blah |eval ID=UserName |ldapfilter search="(&(samAccountName=$ID$))" attrs="displayName" |table _time,UserName,displayName,IpAddress
Do your events have a large number of fields? If so, that might explain the performance difference as the table command would reduce the number of fields to process. Try this:
index=blah |fields _time,UserName,displayName,IpAddress | eval ID=UserName |ldapfilter search="(&(samAccountName=$ID$))" attrs="displayName" |table _time,UserName,displayName,IpAddress
Not a large number of fields - only 24 including host, source, and sourcetype. Putting |fields in did not help.
Here are the results from job inspector for 'command.ldapfilter'.
|table |eval |ldapfilter = 18.32 seconds
|eval |ldapfilter |table = 120.52 seconds
|fields |eval |ldapfilter |table = 120.43 seconds