Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to eliminate join for better query perfomance

vikashperiwal
Path Finder
‎05-14-2019 06:21 AM

I have two query with same source , index with differnt time (once current day, other one pevious week day), i want to substract the current day minus previous day. below is the query i could write , i want to eliminate the join for better performance.

index=eniq source=dbmon-tail://Eniq/DC_E_IMSSBG_PROXYREGISTRAR* earliest=-4h
| fields _time, source, NE_ID, SignalingNetworkConnection_netId, SBGSIPREGSTATREGUSERGAUGE
| fields - _raw
| eval NE_netId=NE_ID.":".SignalingNetworkConnection_netId
| search NE_netId="ONHOOD-SBG-01:5" OR NE_netId="PQPTFD-SBG-01:5" OR NE_netId="ABBRLW-SBG-01:4" OR NE_netId="BCGLMR-SBG-01:4"
| stats values(eval(if(like(source,"%DC_E_IMSSBG_PROXYREGISTRAR_RAW%"),SBGSIPREGSTATREGUSERGAUGE,""))) AS sbgSipRegStatRegUserGauge
values(eval(if(like(source,"%DC_E_IMSSBG_PROXYREGISTRARV6_RAW%"),SBGSIPREGSTATREGUSERGAUGE,""))) AS sbgSipRegStatRegUserGaugeV6 values(SignalingNetworkConnection_netId) AS SignalingNetworkConnection_netId by NE_netId,_time, NE_ID
| eval sbgSipRegStatRegUserGauge1 = (sbgSipRegStatRegUserGaugeV6)|stats sum(sbgSipRegStatRegUserGauge1) as sbgSipRegStatRegUserGauge1 by NE_netId _time

| join [search

index=eniq source=dbmon-tail://Eniq/DC_E_IMSSBG_PROXYREGISTRAR* earliest= -7d-4h@m
| fields _time, source, NE_ID, SignalingNetworkConnection_netId, SBGSIPREGSTATREGUSERGAUGE, x
| fields - _raw
| eval NE_netId=NE_ID.":".SignalingNetworkConnection_netId
| search NE_netId="ONHOOD-SBG-01:5" OR NE_netId="PQPTFD-SBG-01:5" OR NE_netId="ABBRLW-SBG-01:4" OR NE_netId="BCGLMR-SBG-01:4"
| stats values(eval(if(like(source,"%DC_E_IMSSBG_PROXYREGISTRAR_RAW%"),SBGSIPREGSTATREGUSERGAUGE,""))) AS sbgSipRegStatRegUserGauge
values(eval(if(like(source,"%DC_E_IMSSBG_PROXYREGISTRARV6_RAW%"),SBGSIPREGSTATREGUSERGAUGE,""))) AS sbgSipRegStatRegUserGaugeV6 values(SignalingNetworkConnection_netId) AS SignalingNetworkConnection_netId by NE_netId,_time, NE_ID
| eval sbgSipRegStatRegUserGauge2 = (sbgSipRegStatRegUserGaugeV6)|stats sum(sbgSipRegStatRegUserGauge2) as sbgSipRegStatRegUserGauge2 by NE_netId _time]
| eval sbgSipRegStatRegUserGauge = (sbgSipRegStatRegUserGauge1 - sbgSipRegStatRegUserGauge2)
| timechart span=15m sum(sbgSipRegStatRegUserGauge) AS sbgSipRegStatRegUserGauge by NE_netId

0 Karma
Reply

dmarling
Builder
‎05-14-2019 01:22 PM

I'm not sure how your join is functioning at all at the moment since you don't have a field specified in it and the _time field on your subsearch in the join will be last week's timestamp so it won't line up with the _time field on your main search. I believe the overall concept you have is sound though. If you use union instead of join it should provide a bit better performance and you won't run into the problem of the subsearch being stopped after 30 seconds. I did tweak your second search a bit so it makes the _time field of last weeks data line up with the current time field so the subsequent stats that joins the two data sets together will function.

| union maxtime=300 timeout=300 
    [ search index=eniq source=dbmon-tail://Eniq/DC_E_IMSSBG_PROXYREGISTRAR* earliest=-4h 
    | fields _time, source, NE_ID, SignalingNetworkConnection_netId, SBGSIPREGSTATREGUSERGAUGE 
    | fields - _raw 
    | eval NE_netId=NE_ID.":".SignalingNetworkConnection_netId 
    | search NE_netId="ONHOOD-SBG-01:5" OR NE_netId="PQPTFD-SBG-01:5" OR NE_netId="ABBRLW-SBG-01:4" OR NE_netId="BCGLMR-SBG-01:4" 
    | stats values(eval(if(like(source,"%DC_E_IMSSBG_PROXYREGISTRAR_RAW%"),SBGSIPREGSTATREGUSERGAUGE,""))) AS sbgSipRegStatRegUserGauge
        values(eval(if(like(source,"%DC_E_IMSSBG_PROXYREGISTRARV6_RAW%"),SBGSIPREGSTATREGUSERGAUGE,""))) AS sbgSipRegStatRegUserGaugeV6 values(SignalingNetworkConnection_netId) AS SignalingNetworkConnection_netId by NE_netId,_time, NE_ID 
    | eval sbgSipRegStatRegUserGauge1 = (sbgSipRegStatRegUserGaugeV6) 
    | stats sum(sbgSipRegStatRegUserGauge1) as sbgSipRegStatRegUserGauge1 by NE_netId _time] 
    [ search index=eniq source=dbmon-tail://Eniq/DC_E_IMSSBG_PROXYREGISTRAR* earliest= -7d-4h@m 
    | fields _time, source, NE_ID, SignalingNetworkConnection_netId, SBGSIPREGSTATREGUSERGAUGE, x 
    | fields - _raw 
    | eval NE_netId=NE_ID.":".SignalingNetworkConnection_netId 
    | search NE_netId="ONHOOD-SBG-01:5" OR NE_netId="PQPTFD-SBG-01:5" OR NE_netId="ABBRLW-SBG-01:4" OR NE_netId="BCGLMR-SBG-01:4" 
    | eval _time=strptime(strftime(now(), "%x")." ".strftime(_time, "%H:%M:%S.%3N"), "%x %H:%M:%S.%3N")
    | stats values(eval(if(like(source,"%DC_E_IMSSBG_PROXYREGISTRAR_RAW%"),SBGSIPREGSTATREGUSERGAUGE,""))) AS sbgSipRegStatRegUserGauge
        values(eval(if(like(source,"%DC_E_IMSSBG_PROXYREGISTRARV6_RAW%"),SBGSIPREGSTATREGUSERGAUGE,""))) AS sbgSipRegStatRegUserGaugeV6 values(SignalingNetworkConnection_netId) AS SignalingNetworkConnection_netId by NE_netId,_time, NE_ID 
    | eval sbgSipRegStatRegUserGauge2 = (sbgSipRegStatRegUserGaugeV6) 
    | stats sum(sbgSipRegStatRegUserGauge2) as sbgSipRegStatRegUserGauge2 by NE_netId _time]
| stats values(sbgSipRegStatRegUserGauge1) as sbgSipRegStatRegUserGauge1 values(sbgSipRegStatRegUserGauge2) as sbgSipRegStatRegUserGauge2 by NE_netId _time
| eval sbgSipRegStatRegUserGauge = (sbgSipRegStatRegUserGauge1 - sbgSipRegStatRegUserGauge2) 
| timechart span=15m sum(sbgSipRegStatRegUserGauge) AS sbgSipRegStatRegUserGauge by NE_netId
If this comment/answer was helpful, please up vote it. Thank you.
0 Karma
Reply

vikashperiwal
Path Finder
‎05-20-2019 09:14 PM

Thank You for the reposne..

I could fix this .... thanks for the comments you added that helped me understanding the issue and i have extracted "Time" from _time and then i performed the search i.e join on the "Time" and it worked.

If you see my search query above , i did join on "Time".

0 Karma
Reply

dmarling
Builder
‎05-21-2019 05:09 AM

Glad I could help. If you could accept the answer I would appreciate it.

If this comment/answer was helpful, please up vote it. Thank you.
0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...