Solved: Help to accelerate search

jip31 · ‎11-01-2022

Hi

I use the search below which has to be used only in real time

The goal of the search is to calculate a percentage

It works fine except the performances because the subsearch returns a lot of events

inde=toto (sourcetype= titi OR sourcetype=tutu) web-status=405

| fields web-status

| stats count as total by web-status

| appendcols

[ search

inde=toto (sourcetype= titi OR sourcetype=tutu) web-status=*

| fields web-status

| stats count as total2 by web-status]

| eval perc=(toto / toto2) * 100

What i can do please?

jip31 · ‎11-01-2022

thanks for inormation I done a test with the 2 search on the same range time

your searck too 14, 2 seconds to end

my search 16,5

other question

and the percentage result is exactly the same...

View solution in original post

richgalloway · ‎11-01-2022

If the subsearch returns multiple results as you say then this query will fail. The appendcols command does not ensure the subsearch results align with the main search results so the numbers used to calculate the perc value may be incorrect.

This can be done without a subsearch.

index=toto (sourcetype= titi OR sourcetype=tutu) web-status=*
| fields web-status
| stats count as total, sum(eval('web-status'=405)) as total405
| eval perc=(total405 * 100 / total)

Pro tip: Avoid using hypens (-) in field names as they can confuse the parser.

---
If this reply helps you, Karma would be appreciated.

jip31 · ‎11-01-2022

thanks for inormation I done a test with the 2 search on the same range time

your searck too 14, 2 seconds to end

my search 16,5

Help to accelerate search

other

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer at Splunk .conf24 ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...