Developing for Splunk Cloud Services
Highlighted

Query to append the results from two different indexes with Append its taking more time

Loves-to-Learn

Hi,

I am trying to get the results form two indexes and appending the results . The query is working on search window. But after adding to dashboard its timed out. Anyone please help to optimize the code .

 

code -

index=servicewow dv_cmdb_ci=Work OR short_description="*WJM*" OR assignment_group="People" earliest="-24h@h" dv_state="Open" OR dv_state="Work in Progress"|fields opened_at,dv_number,priority|dedup dv_number|eval new1=now()|eval new=strftime(new1,"%Y-%m-%d %H:%M:%S") |stats list(opened_at) as start, list(new) as current by dv_number,priority|append[search index=sales_enterprise sourcetype=sfdc:case Category__c=Work earliest="-24h@h" Status="Open" OR Status="In Progress"|fields CaseNumber,Priority,Status,CreatedDate|dedup CaseNumber|eval new1=now()|eval new=strftime(new1,"%Y-%m-%d %H:%M:%S") |stats list(CreatedDate) as csstart, list(new) as cscurrent by CaseNumber,Priority,Status]|eval duration=strptime(current,"%Y-%m-%d %H:%M:%S") - strptime(start,"%Y-%m-%d %H:%M:%S")|eval Time=round(((((duration)/3600)/24)),0)|eval csduration=strptime(cscurrent,"%Y-%m-%d %H:%M:%S") - strptime(csstart,"%Y-%m-%dT%H:%M:%S")|eval CaseTime=round(((((csduration)/3600)/24)),0)|eval IncSLA=if((Time>3 AND priority=3),"P3 INC-SLA Breached", if((Time>7 AND priority=4),"P4 INC-SLA Breached","SLA Yet to Breach"))|eval CaseSLA=if((CaseTime>3 AND Priority="Medium"),"P3 Case-SLA Breached", if((CaseTime=1 AND Priority="Low"),"P4 Case-SLA Breached","SLA Yet to Breach"))|stats count(eval(IncSLA="P3 INC-SLA Breached")) as "P3 Inc-SLA Breached",count(eval(IncSLA="P4 INC-SLA Breached")) as "P4 Inc-SLA Breached",count(eval(CaseSLA="P3 case-SLA Breached")) as "P3 Case-SLA Breached", count(eval(CaseSLA="P4 Case-SLA Breached")) as "P4 Case-SLA Breached"|transpose|rename column as Incidents/Cases|rename "row 1" as "NoOfIncidents/Cases Breached"

Labels (1)
0 Karma