Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How can I optimize the performance of my current base search and subsearches?

bhavisankar
New Member
‎11-29-2016 12:12 AM

I have a base search to collect all data and some subsearches that access these base searches to draw graphs.

Base search: 

index = app sourcetype = airchangeservice "LogName=com.expedia.www.platform.diagnostics.tracing.TraceResources"  | rex "(?{[^}]+})" | mvexpand json_field | spath input=json_field | search (eventName="AIR_CANCEL_SERVICE" OR eventName="AIR_VOID_SERVICE")  | fields eventName, context.STATUS, context.TPID

The subsearches draw graphs for different eventName, context.STATUS, context.TPID.

See one of my subsearches:

      <query>| search ("PROVIDER CODE":"TF") OR ("PROVIDER_CODE":"TF") AND  eventName="AIR_CANCEL_SERVICE"| timechart span=1d count by context.STATUS</query>  </search>

Is there anything I can do to optimize the searches?

0 Karma
Reply

sundareshr
Legend
‎11-29-2016 05:55 AM

Without looking at your data, its hard to recommend optimizations. I also wonder if your sub query returns anything, because your base query does not include _time, needed for timechart. However, there are a couple of things you could try.

1) Add a transforming command to your base search. Like this

index=app sourcetype=airchangeservice "LogName=com.expedia.www.platform.diagnostics.tracing.TraceResources" | rex "(?<json_field>{[^}]+})" | mvexpand json_field | spath input=json_field | search (eventName="AIR_CANCEL_SERVICE" OR eventName="AIR_VOID_SERVICE") | timechart span=1d count by eventName, context.STATUS, context.TPID

And you sub query should be

<query>| search ("PROVIDER CODE":"TF") OR ("PROVIDER_CODE":"TF") AND  eventName="AIR_CANCEL_SERVICE"| table _time count context.STATUS</query></search>

2) Try moving more search filters to the base search, like this

index=app sourcetype=airchangeservice "LogName=com.expedia.www.platform.diagnostics.tracing.TraceResources" ("AIR_CANCEL_SERVICE" OR "AIR_VOID_SERVICE")  | rex "(?<json_field>{[^}]+})" | mvexpand json_field | spath input=json_field | timechart span=1d count by eventName, context.STATUS, context.TPID

3) Consider using accelerated data models and tstats

http://docs.splunk.com/Documentation/Splunk/6.5.0/Knowledge/Aboutsummaryindexing

0 Karma
Reply
Get Updates on the Splunk Community!

September Community Champions: A Shoutout to Our Contributors!

As we close the books on another fantastic month, we want to take a moment to celebrate the people who are the ...

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...

What’s New in Splunk Observability – September 2025

What's NewWe are excited to announce the latest enhancements to Splunk Observability, designed to help ITOps ...