Splunk Search

How to improve performance of stats sum

bapun18
Communicator

Hi I want to improve my search for better search performance, please find the attachment enclosed.![alt textalt text

0 Karma
1 Solution

niketn
Legend

@bapun18 only possibility in the query seems like you can just delete | search from your search so that filter for field x-vf-trace-source can be applied while fetching data from index. Please try out and confirm!

If the query performs for a day but not for multiple days, you can try using daily summary indexing.
If you can have index extraction for field x-vf-trace-source you can use tstats which would work way faster.
If indexed extraction is not possible you can explore data model acceleration.

Refer to documentation: https://docs.splunk.com/Documentation/Splunk/latest/Knowledge/Aboutsummaryindexing

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

View solution in original post

0 Karma

niketn
Legend

@bapun18 only possibility in the query seems like you can just delete | search from your search so that filter for field x-vf-trace-source can be applied while fetching data from index. Please try out and confirm!

If the query performs for a day but not for multiple days, you can try using daily summary indexing.
If you can have index extraction for field x-vf-trace-source you can use tstats which would work way faster.
If indexed extraction is not possible you can explore data model acceleration.

Refer to documentation: https://docs.splunk.com/Documentation/Splunk/latest/Knowledge/Aboutsummaryindexing

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

to4kawa
Ultra Champion
index=myvdf_smapi_de_db sourcetype=smapi_collector_adnroid_myvf_de x-vf-trace-source="android:com.appseleration.android.selfcare"
|eval bytes=len(_raw)
|timechart span=1d sum(bytes) as Total_bytes

Hi, You searched twice because of search in the second line. Let's remove this.

 |tstats sum(bytes) where index=myvdf_smapi_de_db sourcetype=smapi_collector_adnroid_myvf_de x-vf-trace-source="android:com.appseleration.android.selfcare"

Creating a data model so that this search can be used is one of the solutions.

Design data models

0 Karma

arjunpkishore5
Motivator

Looking at the Events tab, it looks like you are in "Verbose Mode". Change your search from "Verbose Mode" to "Fast Mode" (on the bottom right of your search panel). That should speed things up

alt text

Please mark as answer if this helps

Cheers

0 Karma

adonio
Ultra Champion

seems like you are trying to calculate the size of each event and then sum them up to get total usage per day ...
why not look at the _internal index for license usage of this particular source in this particular index?

there are tons of answers around this forum regarding license usage monitoring
also, no need to do the | search its redundant, just add all your filters

0 Karma

arjunpkishore5
Motivator

He has a filter for a specific type of event. I would guess that's the reason he needs to calculate the size of each event. 🙂

0 Karma

adonio
Ultra Champion

if he needs the size of each events, he wouldnt sum it up by time (1d)

0 Karma

arjunpkishore5
Motivator

Apologies for the confusion. Let me try to rephrase. It looks like they want to calculate the amount of data generated by a specific type of event by day. As far as I'm aware, License usage provides metrics at metadata level and does not provide metrics for a subset of the data within the index.

0 Karma

richgalloway
SplunkTrust
SplunkTrust

It would have been helpful to copy-and-paste the query into your question so we can test it ourselves.
What about this query needs improving. The screen shot does not show any performance information so we don't know what needs to change.
Have you looked at the Job Inspector?

---
If this reply helps you, Karma would be appreciated.
0 Karma
Get Updates on the Splunk Community!

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...

Cloud Platform & Enterprise: Classic Dashboard Export Feature Deprecation

As of Splunk Cloud Platform 9.3.2408 and Splunk Enterprise 9.4, classic dashboard export features are now ...

Explore the Latest Educational Offerings from Splunk (November Releases)

At Splunk Education, we are committed to providing a robust learning experience for all users, regardless of ...