Dashboards & Visualizations
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Splunk Search - Taking more time to get the results, How would I make a more efficient search?

Vani_26
Path Finder
‎08-04-2022 03:22 PM

query:

index=xxx host=xx sourcetype=xxx source=xxx
|rex field  = -raw  "\MeasuStatus\:(?<Status>.*?)\|"
|where isnotnull(Status)
|eval Success=if(Status="0", "Done", null())
|eval Failed=if(Status!="0", "notDone", null())
|stats count(Sucess) as SuccessC count(Failed) as FailedC count(Status) as overall
|eval SuccessPerc=(SuccessC/overall) *100
|eval SucessPercentage=round(SucessPerc,2)
|table SucessPercentage



The above query is working fine, But i want to modify the query to run in less time because now it is taking more time to get the results.
Can any one suggest.

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

martinpu
Communicator
‎08-04-2022 03:50 PM 
index=xxx host=xx sourcetype=xxx source=xxx MeasuStatus
|rex field  = -raw  "\MeasuStatus\:(?<Status>.*?)\|"
|where isnotnull(Status)
|eval Success=if(Status="0", "Done", null())
|eval Failed=if(Status!="0", "notDone", null())
|stats count(Sucess) as SuccessC count(Failed) as FailedC count(Status) as overall
|eval SuccessPerc=(SuccessC/overall) *100
|eval SucessPercentage=round(SucessPerc,2)
|table SucessPercentage

 Add your keyword to the base query. How many events are retrieved for e.g. if you search 1 hour?

 

Move your field extraction from REX to field extractions and then search using Status=*


This query should run pretty fast, how long is taking on average and for what timeframe?

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

martinpu
Communicator
‎08-04-2022 03:50 PM 
index=xxx host=xx sourcetype=xxx source=xxx MeasuStatus
|rex field  = -raw  "\MeasuStatus\:(?<Status>.*?)\|"
|where isnotnull(Status)
|eval Success=if(Status="0", "Done", null())
|eval Failed=if(Status!="0", "notDone", null())
|stats count(Sucess) as SuccessC count(Failed) as FailedC count(Status) as overall
|eval SuccessPerc=(SuccessC/overall) *100
|eval SucessPercentage=round(SucessPerc,2)
|table SucessPercentage

 Add your keyword to the base query. How many events are retrieved for e.g. if you search 1 hour?

 

Move your field extraction from REX to field extractions and then search using Status=*


This query should run pretty fast, how long is taking on average and for what timeframe?

0 Karma
Reply
Solved! Jump to solution

Vani_26
Path Finder
‎08-04-2022 09:30 PM

This is a dashboard query, it is taking around 10mins to load the panel. 

Here in raw data status is mentioned as status:1002

Time range 7 days

 

Is there any possibility to use tstats term and prefix in the query.

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...