Building for the Splunk Platform

Query to append the results from two different indexes with Append its taking more time



I am trying to get the results form two indexes and appending the results . The query is working on search window. But after adding to dashboard its timed out. Anyone please help to optimize the code .


code -

index=servicewow dv_cmdb_ci=Work OR short_description="*WJM*" OR assignment_group="People" earliest="-24h@h" dv_state="Open" OR dv_state="Work in Progress"|fields opened_at,dv_number,priority|dedup dv_number|eval new1=now()|eval new=strftime(new1,"%Y-%m-%d %H:%M:%S") |stats list(opened_at) as start, list(new) as current by dv_number,priority|append[search index=sales_enterprise sourcetype=sfdc:case Category__c=Work earliest="-24h@h" Status="Open" OR Status="In Progress"|fields CaseNumber,Priority,Status,CreatedDate|dedup CaseNumber|eval new1=now()|eval new=strftime(new1,"%Y-%m-%d %H:%M:%S") |stats list(CreatedDate) as csstart, list(new) as cscurrent by CaseNumber,Priority,Status]|eval duration=strptime(current,"%Y-%m-%d %H:%M:%S") - strptime(start,"%Y-%m-%d %H:%M:%S")|eval Time=round(((((duration)/3600)/24)),0)|eval csduration=strptime(cscurrent,"%Y-%m-%d %H:%M:%S") - strptime(csstart,"%Y-%m-%dT%H:%M:%S")|eval CaseTime=round(((((csduration)/3600)/24)),0)|eval IncSLA=if((Time>3 AND priority=3),"P3 INC-SLA Breached", if((Time>7 AND priority=4),"P4 INC-SLA Breached","SLA Yet to Breach"))|eval CaseSLA=if((CaseTime>3 AND Priority="Medium"),"P3 Case-SLA Breached", if((CaseTime=1 AND Priority="Low"),"P4 Case-SLA Breached","SLA Yet to Breach"))|stats count(eval(IncSLA="P3 INC-SLA Breached")) as "P3 Inc-SLA Breached",count(eval(IncSLA="P4 INC-SLA Breached")) as "P4 Inc-SLA Breached",count(eval(CaseSLA="P3 case-SLA Breached")) as "P3 Case-SLA Breached", count(eval(CaseSLA="P4 Case-SLA Breached")) as "P4 Case-SLA Breached"|transpose|rename column as Incidents/Cases|rename "row 1" as "NoOfIncidents/Cases Breached"

Labels (1)
0 Karma
Get Updates on the Splunk Community!

Routing Data to Different Splunk Indexes in the OpenTelemetry Collector

This blog post is part of an ongoing series on OpenTelemetry. The OpenTelemetry project is the second largest ...

Getting Started with AIOps: Event Correlation Basics and Alert Storm Detection in ...

Getting Started with AIOps:Event Correlation Basics and Alert Storm Detection in Splunk IT Service ...

Register to Attend BSides SPL 2022 - It's all Happening October 18!

Join like-minded individuals for technical sessions on everything Splunk!  This is a community-led and run ...