Solved: Difference in Queries

koushiknandan · ‎11-07-2014

Hi,

Though I'm receiving the same output for both my queries, curious to know the difference (executions, time taken, etc) between them.
The bold part is the only change.

index=PD host=ABC* uri="/XXXX" AND (http_status="200" OR http_status="500") | convert timeformat="%Y-%m-%d" ctime(_time) AS Date | stats count(eval(http_status="200")) as "HTTP 200", count(eval(http_status="500")) as "HTTP 500" by Date

index=PD host=ABC* uri="/XXXX" | convert timeformat="%Y-%m-%d" ctime(_time) AS Date | stats count(eval(http_status="200")) as "HTTP 200", count(eval(http_status="500")) as "HTTP 500" by Date

Thanks

wpreston · ‎11-07-2014

Splunk gives the kind of information you're looking for in the job inspector. Take a look at it for each of your searches by clicking job --> inspect job and see if it has what you need.

View solution in original post

wpreston · ‎11-07-2014

Splunk gives the kind of information you're looking for in the job inspector. Take a look at it for each of your searches by clicking job --> inspect job and see if it has what you need.

Difference in Queries

Fall Into Learning with New Splunk Education Courses

Super Optimize your Splunk Stats Searches: Unlocking the Power of tstats, TERM, and ...

How Splunk Observability Cloud Prevented a Major Payment Crisis in Minutes

Are you a member of the Splunk Community?

Difference in Queries

Fall Into Learning with New Splunk Education Courses

Super Optimize your Splunk Stats Searches: Unlocking the Power of tstats, TERM, and ...

How Splunk Observability Cloud Prevented a Major Payment Crisis in Minutes