- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How to optimize the given query without using join
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to optimize the given query without using join
Hi,
I need to Optimize my query to improve the dashboard performance without using any type of join function.
Below is my query
| inputlookup sample.csv
| search user IN ( ) application_name IN () "application id" IN (*)
|eval None="None"
| table "application id",application_name,user,"Status",Type,"Service Host",Platform,Jan,Feb,Mar,Apr,None,env
| rename "application_name" as Server_Name
| eval Server_Name=upper(Server_Name)
| join type=left Server_Name
[ search index=idx sourcetype=xyz
| eval Server_Name=upper(Server_Name)
| search Status!="Completed"
| table Server_Name Status]
| search Status!="Completed" | stats sum("Jan") as jan sum("Feb") as feb sum("Mar") as mar sum("Apr") as apr by env
| eval total = jan+feb + mar + apr
|table env total
Please help me to optimize this query without using join
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
UPDATED:
index=idx sourcetype=xyz Status="retain" OR Status="progress" Server_Name=*
| eval Server_Name=upper(Server_Name)
| table Server_Name Status
| dedup Server_Name
| lookup sample.csv "application_name" as Server_Name OUTPUTNEW
| eval None="None"
| where isnotnull(user)
| search user IN ( ) application_name IN () "application id" IN (*)
| stats sum("Jan") as jan sum("Feb") as feb sum("Mar") as mar sum("Apr") as apr by env
| eval total = jan+feb + mar + apr
| table env total
Hi, @avni26
some code is disappear.Status of Server_Name is latest status.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@to4kawa Thank you for your response.
I tried to execute like above, but why lookup fields giving multiple values in same row.
thanks,
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
| lookup sample.csv "application_name" as Server_Name OUTPUTNEW
Maybe, there is same Server_name.
| dedup Server_name
but, Status is unclear.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Status is coming from index having values like completed, retain, progress l
Extending Observability Content to Splunk Cloud
More Control Over Your Monitoring Costs with Archived Metrics!
New in Observability Cloud - Explicit Bucket Histograms
