Base and post process search

prettysunshinez · ‎05-11-2020

Can someone help me in understanding the actual use of base and post process searches please.
And I would also like to know if streamstats and eventstats will be recommended as transforming commands in base searches and will there be any performance issue in using them

to4kawa · ‎05-11-2020

https://docs.splunk.com/Documentation/Splunk/8.0.3/Viz/Savedsearches#Post-process_searches

what's the problem?

niketn · ‎05-11-2020

To be specific Post Processing Best Practices.

The reason for use of transforming commands in base search is so that you reduce the number of rows by using some aggregation field/s and have base search pull only required (reduced) rows and colums. However, if only eventstats and streamstats are used you will still have original no. or rows and will not be reducing the total number of events.

As far as performance is concerned depends upon factors like:
1. Your Splunk environment specs and configs
2. How much data is getting pulled in your base search.
3. Use loadjob vs. post-processing.
4. Other Acceleration techniques like metrics index, data model acceleration etc.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

Base and post process search

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms