Building for the Splunk Platform

Reverse searching

polymorphic
Communicator

I need to find the very first occurence of data received with a specific field id.

I have this search which does the job:

sourcetype=stats device_id=94 | stats last(FileTime)

But Splunk searches from the newest event received to the oldest event received, which means that the search will take very long time to finish. (262 seconds)
And at this point we only have 3 month of data stored.
When we have 14 month of data stored (which we need) this will obviously be even more time consuming.

Is there any way to make Splunk search in reverse order?
And then stop searching when result is found?

Tags (1)
0 Karma

Drainy
Champion

Why use stats, why not just use;

sourcetype=stats device_id=94 FileTime=* | tail 1

Also, if you're looking to do these sorts of searches over longer time periods then it would be worth looking at summary indexing to start taking summarisation data to save time in the future;

http://docs.splunk.com/Documentation/Splunk/5.0/Knowledge/Usesummaryindexing

0 Karma

Drainy
Champion

In that case there isn't much you can do I'm afraid, thats imply how Splunk searches. stats last will be the best option if you're in a distributed environment.

0 Karma

polymorphic
Communicator

Thanks for the answer.
However, the search suggested is just as time consuming as mine, but delivers even more information which i dont need.

I agree that summary indexing could be a way to go, but i just think that it would be more efficient, to do the search "backwards" instead.

0 Karma
Get Updates on the Splunk Community!

Observability Highlights | January 2023 Newsletter

 January 2023New Product Releases Splunk Network Explorer for Infrastructure MonitoringSplunk unveils Network ...

Security Highlights | January 2023 Newsletter

January 2023 Splunk Security Essentials (SSE) 3.7.0 ReleaseThe free Splunk Security Essentials (SSE) 3.7.0 app ...

Platform Highlights | January 2023 Newsletter

 January 2023Peace on Earth and Peace of Mind With Business ResilienceAll organizations can start the new year ...