Re: help on subsearch with join command

jip31 · ‎01-09-2022

hi

I need to improve the subsearch below

I explain : the piece of code in the subsearch count the number of core of the machine

So this count is always the same no matter the time

So I wonder if it would better to put these results in a csv lookup and to query the csv lookup instead to query on the index?

or is there some other tracks for improve this search?

Thanks

index=toto sourcetype=tutu type=* runq 
| fields host _time runq type 
| stats max(runq) as runq by host _time 
| join host 
    [ search index=toto sourcetype=tutu type=* 
    | fields host cpu_core
    | search host=1328 
    | stats max(cpu_core) as nbcore by host ] 
| eval Vel = (runq / nbcore) 
| eval _time = strftime(_time, "%d-%m-%y %H:%M:%S") 
| sort - _time 
| rename host as Host, _time as Heure 
| table Heure Host Vel 
| sort - Vel

isoutamo · ‎01-09-2022

Hi

using lookup instead of query "static" values from index is almost always better/more efficient way.

There are many conf presentation which cover this issue. In most cases you should avoid to use join and instead use stats. Here is some links to those

r. Ismo

jip31 · ‎01-10-2022

Hi, many thanks

help on subsearch with join command

Can’t make it to .conf25? Join us online!

Community Content Calendar, September edition

Splunkbase Unveils New App Listing Management Public Preview

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Are you a member of the Splunk Community?

help on subsearch with join command

Can’t make it to .conf25? Join us online!

Community Content Calendar, September edition

Splunkbase Unveils New App Listing Management Public Preview

Leveraging Automated Threat Analysis Across the Splunk Ecosystem