Dashboards & Visualizations

Splunk Search - Taking more time to get the results, How would I make a more efficient search?

Vani_26
Path Finder

query:

index=xxx host=xx sourcetype=xxx source=xxx
|rex field  = -raw  "\MeasuStatus\:(?<Status>.*?)\|"
|where isnotnull(Status)
|eval Success=if(Status="0", "Done", null())
|eval Failed=if(Status!="0", "notDone", null())
|stats count(Sucess) as SuccessC count(Failed) as FailedC count(Status) as overall
|eval SuccessPerc=(SuccessC/overall) *100
|eval SucessPercentage=round(SucessPerc,2)
|table SucessPercentage



The above query is working fine, But i want to modify the query to run in less time because now it is taking more time to get the results.
Can any one suggest.

Labels (1)
0 Karma
1 Solution

martinpu
Communicator
index=xxx host=xx sourcetype=xxx source=xxx MeasuStatus
|rex field  = -raw  "\MeasuStatus\:(?<Status>.*?)\|"
|where isnotnull(Status)
|eval Success=if(Status="0", "Done", null())
|eval Failed=if(Status!="0", "notDone", null())
|stats count(Sucess) as SuccessC count(Failed) as FailedC count(Status) as overall
|eval SuccessPerc=(SuccessC/overall) *100
|eval SucessPercentage=round(SucessPerc,2)
|table SucessPercentage

 Add your keyword to the base query. How many events are retrieved for e.g. if you search 1 hour?

 

Move your field extraction from REX to field extractions and then search using Status=*


This query should run pretty fast, how long is taking on average and for what timeframe?

View solution in original post

0 Karma

martinpu
Communicator
index=xxx host=xx sourcetype=xxx source=xxx MeasuStatus
|rex field  = -raw  "\MeasuStatus\:(?<Status>.*?)\|"
|where isnotnull(Status)
|eval Success=if(Status="0", "Done", null())
|eval Failed=if(Status!="0", "notDone", null())
|stats count(Sucess) as SuccessC count(Failed) as FailedC count(Status) as overall
|eval SuccessPerc=(SuccessC/overall) *100
|eval SucessPercentage=round(SucessPerc,2)
|table SucessPercentage

 Add your keyword to the base query. How many events are retrieved for e.g. if you search 1 hour?

 

Move your field extraction from REX to field extractions and then search using Status=*


This query should run pretty fast, how long is taking on average and for what timeframe?

0 Karma

Vani_26
Path Finder

This is a dashboard query, it is taking around 10mins to load the panel. 

Here in raw data status is mentioned as status:1002

Time range 7 days

 

Is there any possibility to use tstats term and prefix in the query.

0 Karma
Get Updates on the Splunk Community!

Splunk Education - Fast Start Program!

Welcome to Splunk Education! Splunk training programs are designed to enable you to get started quickly and ...

Five Subtly Different Ways of Adding Manual Instrumentation in Java

You can find the code of this example on GitHub here. Please feel free to star the repository to keep in ...

New Splunk APM Enhancements Help Troubleshoot Your MySQL and NoSQL Databases Faster

Splunk Observability has two new enhancements to make it quicker and easier to troubleshoot slow or frequently ...