Splunk Search
Highlighted

How to optimize search to compare calculated value with the previous value from some time ago

New Member

Hello.
I have this search:

index="flow" earliest=-15m latest=now 
| append [search index="flow" earliest=-15m latest=-60s
| eventstats  sum(cli2srv_bytes_full) as upload_by_local_ip2 sum(srv2cli_bytes_full) as download_by_local_ip2 by local_ip, remote_ip
| dedup local_ip remote_ip 
| table new_time  local_ip remote_ip upload_by_local_ip2 download_by_local_ip2
| outputlookup  append=false flows_search.csv
]
| lookup flows_search.csv local_ip remote_ip OUTPUT upload_by_local_ip2, download_by_local_ip2
| eventstats  sum(cli2srv_bytes_full) as upload_by_local_ip sum(srv2cli_bytes_full) as download_by_local_ip by local_ip, remote_ip
| dedup local_ip remote_ip 
| eval upload_by_local_ip2 = if(isnull(upload_by_local_ip2), 0, upload_by_local_ip2)
| eval download_by_local_ip2 = if(isnull(download_by_local_ip2), 0, download_by_local_ip2)
| eval limit = upload_by_local_ip - upload_by_local_ip2

So, I calculated transmitted bytes from -15m to now, -15m to -1m, and view how it changes and this is the question:
I think it was difficult codes and have overhead.
How do I optimize the search?
Thanks in advance.

0 Karma
Highlighted

Re: How to optimize search to compare calculated value with the previous value from some time ago

New Member

| eval cli2srvbytesfull2=if(now()-time >=60,cli2srvbytes_full,0) in main search without second search seems to work

0 Karma
Highlighted

Re: How to optimize search to compare calculated value with the previous value from some time ago

SplunkTrust
SplunkTrust

@borgetko If your problem is resolved, please accept the answer to help future readers.

---
If this reply helps you, an upvote would be appreciated.
0 Karma
Highlighted

Re: How to optimize search to compare calculated value with the previous value from some time ago

New Member

Problem is not resolved because in events, where now()-time <60, value **cli2srvbytesfull2** have 0, so
if i do dedup by **cli2srv
bytesfull** than **cli2srvbytesfull2** will be 0, but i want that **cli2srvbytes_full2** have lates (highiest) value.
I tryed to do transaction without dedup, but the job takes more time than if it will 2 searches

0 Karma