Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

I am combine two queries and calculating the percentage but.

rajhemant26
New Member
‎06-03-2018 11:17 PM

Hello everyone.

Want to display the output only for the time which crosses 18 months (earliest time)

Tags (1)
0 Karma
Reply

FrankVl
Ultra Champion
‎06-04-2018 02:16 AM

I took the liberty of editing your question, to put the search code as code, such that special characters like * don't disappear.

Couple of observations

  1. You're not just combining 2 queries, you're combining many more, with all those append statements
  2. You're using quite a few != filters, including also wildcards. Such negative filters are significantly slower than positive filters.
  3. You're pulling a lot of data together, doing some evals on different pieces. But in the end, all you do is a stats count as release1 which you then join with the second part, which ends with table Percent. Can you perhaps explain what you are trying to achieve here? It doesn't make a whole lot of sense to me.
  4. The search on the right side of your join calculates a percentage based on release2 - release1. But release1 is only defined on the left side of the join, so that calculation will never work like that. Shouldn't that last ] be before the | eval Percent... part?

So apart from the general remark on the != filters, I think we need some more explaining on what you are trying to achieve, before anyone can give a proper answer on how to improve your query.

0 Karma
Reply

martin_mueller
SplunkTrust
SplunkTrust
‎06-04-2018 02:16 AM

append and join aren't meant to be used like that.

earliest=1520640000 latest=1531526400 
(index=app host="prod*"  AND host= "*web*" OR host= "*wap*" _raw!="" AND _raw!="*sql*" AND exception!="*db2*" AND exception !="*solr*" error) OR
(index=app host="prod*" MQ _raw="*ERROR*" _raw!="*INFO*") OR
(index=app host="prod*" exception="*sql*" sqlserver OR db2) OR
(index=datatier riak sourcetype=kvs_console "\[error\]" host="prod*") OR
(index=datatier host="*prod*" source="*memsql*"  "ERROR") OR
(index=datatier OR index=app sourcetype="solr_log" SEVERE OR ERROR)
| stats count(eval(_time < 1526688000)) as release1 count(eval(_time >= 1526688000)) as release2 
| eval Percent = ((release2-release1)/ release1)*100  |table Percent

This will search your data in one go and count right away, instead of appending huge lists of raw data to each other

Reply

martin_mueller
SplunkTrust
SplunkTrust
‎06-05-2018 04:27 AM

The next step is to figure out which part is taking up too much time. Run each segment individually:

earliest=1520640000 latest=1531526400 
(index=app host="prod*"  AND host= "*web*" OR host= "*wap*" _raw!="" AND _raw!="*sql*" AND exception!="*db2*" AND exception !="*solr*" error)
| stats count

Post the resulting count plus these values from the job inspector: scan count, run duration (or run time?).

0 Karma
Reply
Get Updates on the Splunk Community!

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

Splunk Decoded: Business Transactions vs Business IQ

It’s the morning of Black Friday, and your e-commerce site is handling 10x normal traffic. Orders are flowing, ...

Fastest way to demo Observability

I’ve been having a lot of fun learning about Kubernetes and Observability. I set myself an interesting ...