Thank you for the suggestion.  Unfortunately, this is the longest running version so far.  But I don't see which part of this achieves the objective of only returning the rows that match the objectids in the initial query of versionid=1.  How is this supposed to achieve that? 

Thanks for the suggestion, but it takes much longer, unfortunately, because it still evaluates every event with versionid=2 instead of only bringing back those for objectid=1 first and then filtering on those first.

Have you try these proposals in your environment or have you just decide that those didn't work?

I have evaluated those with our data (of course not exactly same than you have, but amount and cardinality should be enough equal).

With your example:

This search has completed and has returned 757 results by scanning 73,213 events in 7.786 seconds

The following messages were returned by the search subsystem:

info : [subsearch]: Subsearch produced 68838 results, truncating to maxout 50000.

===> not correct result

With my:

This search has completed and has returned 1,169 results by scanning 141,222 events in 3.862 seconds

And when I use smaller samples where sub search even works those execution times was relative 

Yours/my: 1.335 vs 0.324s

Both queries returns same amount of events.

r. Ismo

I said it takes longer, so, I would only know that from testing, right?

But, I can also see from the query that there is nothing in there that achieves what I have specifically asked for.  Although the results may achieve the same dataset, it still does not do it in an efficient way.  The query uses basic functions of Splunk that I am very familiar with and have tried in so many different ways.  But the specific ask here is about how to quickly retrieve JUST the rows that match the ids returned in the first query.

I know that Splunk is not SQL, but to make it a bit clearer what I am trying to achieve...

SELECT *
FROM MYINDEX
WHERE OBJECTID IN (SELECT OBJECTID FROM MYINDEX WHERE VERSIONID=1)
AND VERSIONID=2

I have updated the original post with this clarity.  Hope it helps.

Thanks for the link to a very good description of joins.  I am very familiar with all the join options and have chosen the inner join as I would expect that to just bring back the rows where there is a matching id on both sides, but Splunk still returns all 5 million rows (or whatever the count is for the various periods I have tried) rather than just return the 200 rows for the ids that I am interested in, which I can get back quickly if I put the long list of IDs in the query.  But I can't specify the list up front because I don't know which ids are going to still be on versionid=1.

How can I force the second query to only bring back the ids from the first query?  I am worried that I am missing an obvious attribute of the join (and have checked the Splunk docs https://splk.it/3smaaNf) that would allow this filtering to happen.

I appreciate the time you are spending on this.  Many thanks.

Can you try this one:

index=myindex sourcetype=mysourcetype versionid IN (1, 2)
| fields _time objectid versionid <other fields which you are needing>
| stats range(_time) as duration values(*) as * by objectid
| where mvcount(versionid) > 1 AND isnotnull(mvfind(versionid, 1)) AND isnotnull(mvfind(versionid, 2))
| eval duration = tostring(duration, "duration")

 This works for me.

Thanks again!   🙂

This also takes a long time to run, basically because the very first statement pulls back everything.  It is pulling back all the 2s, when I only want the 2s that have a 1.  Forget all the other processing after that statement to calculate the duration (although there is some interesting syntax in there that I haven't used before that looks cool that I am going to investigate separately, thank you) but if you can trim the query down to just the first statement and get that to just return the 1s and the 2s that have a 1, and do it without first pulling back all the 2s and then filtering afterwards, that will solve my problem.  I am guessing there is no way to achieve that as no-one on any forums seems to have a solution.

Thanks for the suggestion, but that takes much longer, unfortunately.

I am really looking for some way to quickly ONLY return the versionid=2 events that are for the subset of objectids that have any versionid=1 events

Thanks