Dashboards & Visualizations
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Splunk Search - Taking more time to get the results, How would I make a more efficient search?

Vani_26
Path Finder
‎08-04-2022 03:22 PM

query:

index=xxx host=xx sourcetype=xxx source=xxx
|rex field  = -raw  "\MeasuStatus\:(?<Status>.*?)\|"
|where isnotnull(Status)
|eval Success=if(Status="0", "Done", null())
|eval Failed=if(Status!="0", "notDone", null())
|stats count(Sucess) as SuccessC count(Failed) as FailedC count(Status) as overall
|eval SuccessPerc=(SuccessC/overall) *100
|eval SucessPercentage=round(SucessPerc,2)
|table SucessPercentage



The above query is working fine, But i want to modify the query to run in less time because now it is taking more time to get the results.
Can any one suggest.

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

martinpu
Communicator
‎08-04-2022 03:50 PM 
index=xxx host=xx sourcetype=xxx source=xxx MeasuStatus
|rex field  = -raw  "\MeasuStatus\:(?<Status>.*?)\|"
|where isnotnull(Status)
|eval Success=if(Status="0", "Done", null())
|eval Failed=if(Status!="0", "notDone", null())
|stats count(Sucess) as SuccessC count(Failed) as FailedC count(Status) as overall
|eval SuccessPerc=(SuccessC/overall) *100
|eval SucessPercentage=round(SucessPerc,2)
|table SucessPercentage

 Add your keyword to the base query. How many events are retrieved for e.g. if you search 1 hour?

 

Move your field extraction from REX to field extractions and then search using Status=*


This query should run pretty fast, how long is taking on average and for what timeframe?

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

martinpu
Communicator
‎08-04-2022 03:50 PM 
index=xxx host=xx sourcetype=xxx source=xxx MeasuStatus
|rex field  = -raw  "\MeasuStatus\:(?<Status>.*?)\|"
|where isnotnull(Status)
|eval Success=if(Status="0", "Done", null())
|eval Failed=if(Status!="0", "notDone", null())
|stats count(Sucess) as SuccessC count(Failed) as FailedC count(Status) as overall
|eval SuccessPerc=(SuccessC/overall) *100
|eval SucessPercentage=round(SucessPerc,2)
|table SucessPercentage

 Add your keyword to the base query. How many events are retrieved for e.g. if you search 1 hour?

 

Move your field extraction from REX to field extractions and then search using Status=*


This query should run pretty fast, how long is taking on average and for what timeframe?

0 Karma
Reply
Solved! Jump to solution

Vani_26
Path Finder
‎08-04-2022 09:30 PM

This is a dashboard query, it is taking around 10mins to load the panel. 

Here in raw data status is mentioned as status:1002

Time range 7 days

 

Is there any possibility to use tstats term and prefix in the query.

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Enterprise Security(ES) 7.3 is approaching the end of support. Get ready for ...

Hi friends!    At Splunk, your product success is our top priority. With Enterprise Security (ES), we're here ...

Splunk Enterprise Security 8.x: The Essential Upgrade for Threat Detection, ...

Watch On Demand the Tech Talk, and empower your SOC to reach new heights! Duration: 1 hour  Prepare to ...

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI!Discover how Splunk’s agentic AI ...