Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How can I optimize the performance of my current base search and subsearches?

bhavisankar
New Member
‎11-29-2016 12:12 AM

I have a base search to collect all data and some subsearches that access these base searches to draw graphs.

Base search: 

index = app sourcetype = airchangeservice "LogName=com.expedia.www.platform.diagnostics.tracing.TraceResources"  | rex "(?{[^}]+})" | mvexpand json_field | spath input=json_field | search (eventName="AIR_CANCEL_SERVICE" OR eventName="AIR_VOID_SERVICE")  | fields eventName, context.STATUS, context.TPID

The subsearches draw graphs for different eventName, context.STATUS, context.TPID.

See one of my subsearches:

      <query>| search ("PROVIDER CODE":"TF") OR ("PROVIDER_CODE":"TF") AND  eventName="AIR_CANCEL_SERVICE"| timechart span=1d count by context.STATUS</query>  </search>

Is there anything I can do to optimize the searches?

0 Karma
Reply

sundareshr
Legend
‎11-29-2016 05:55 AM

Without looking at your data, its hard to recommend optimizations. I also wonder if your sub query returns anything, because your base query does not include _time, needed for timechart. However, there are a couple of things you could try.

1) Add a transforming command to your base search. Like this

index=app sourcetype=airchangeservice "LogName=com.expedia.www.platform.diagnostics.tracing.TraceResources" | rex "(?<json_field>{[^}]+})" | mvexpand json_field | spath input=json_field | search (eventName="AIR_CANCEL_SERVICE" OR eventName="AIR_VOID_SERVICE") | timechart span=1d count by eventName, context.STATUS, context.TPID

And you sub query should be

<query>| search ("PROVIDER CODE":"TF") OR ("PROVIDER_CODE":"TF") AND  eventName="AIR_CANCEL_SERVICE"| table _time count context.STATUS</query></search>

2) Try moving more search filters to the base search, like this

index=app sourcetype=airchangeservice "LogName=com.expedia.www.platform.diagnostics.tracing.TraceResources" ("AIR_CANCEL_SERVICE" OR "AIR_VOID_SERVICE")  | rex "(?<json_field>{[^}]+})" | mvexpand json_field | spath input=json_field | timechart span=1d count by eventName, context.STATUS, context.TPID

3) Consider using accelerated data models and tstats

http://docs.splunk.com/Documentation/Splunk/6.5.0/Knowledge/Aboutsummaryindexing

0 Karma
Reply
Get Updates on the Splunk Community!

Index This | What is broken 80% of the time by February?

December 2025 Edition   Hayyy Splunk Education Enthusiasts and the Eternally Curious!    We’re back with this ...

Unlock Faster Time-to-Value on Edge and Ingest Processor with New SPL2 Pipeline ...

Hello Splunk Community,   We're thrilled to share an exciting update that will help you manage your data more ...

Splunk MCP & Agentic AI: Machine Data Without Limits

Discover how the Splunk Model Context Protocol (MCP) Server can revolutionize the way your organization uses ...