Search 1 is :
index=reportstore earliest=-28d@d latest=@d sourcetype=reportstore_logs host=denver
| eval ReportCreatedDate=strftime(ReportCreatedDate, "%D %T")
| stats first(ReportCreatedDate) AS ReportCreatedDate by report_id
| rename report_id as reportname
search 2 already has a join in it but I still take this is as one search :
index=offered_reports earliest=1522540800 sourcetype=splunkoffer Server_Name=denver
| table offer
| dedup offer
| eval offer=lower(offer)
| rename offer as Offer_Given
| join max=0 Offer_Given
[ search index=offered_reports earliest=1522540800 Master="master_splunk"
| eval Offer_Given=lower(Offer_Given) ]
| dedup reportname time_interval
| table reportname time_interval
The Full Searches:
first one;
index=reportstore earliest=-28d@d latest=@d sourcetype=reportstore_logs host=denver
| eval ReportCreatedDate=strftime(ReportCreatedDate, "%D %T")
| stats first(ReportCreatedDate) AS ReportCreatedDate by report_id
| rename report_id as reportname
| join type=outer reportname
[ index=offered_reports earliest=1522540800 sourcetype=splunkoffer Server_Name=denver
| table offer
| dedup offer
| eval offer=lower(offer)
| rename offer as Offer_Given
| join max=0 Offer_Given
[ search index=offered_reports earliest=1522540800 Master="master_splunk"
| eval Offer_Given=lower(Offer_Given) ]
| dedup reportname time_interval
| table reportname time_interval ]
| table reportname,time_interval,ReportCreatedDate
| fillnull value="Extra_reports"
Second one:
index=offered_reports earliest=1522540800 sourcetype=splunkoffer Server_Name=denver
| table offer
| dedup offer
| eval offer=lower(offer)
| rename offer as Offer_Given
| join max=0 Offer_Given
[ search index=offered_reports earliest=1522540800 Master="master_splunk"
| eval Offer_Given=lower(Offer_Given) ]
| dedup reportname time_interval
| table reportname time_interval
| rename reportname as report_guid
| join type=outer report_guid[search index=reportstore earliest=-28d@d latest=@d sourcetype=reportstore_logs host=denver
| eval ReportCreatedDate=strftime(ReportCreatedDate, "%D %T")
| stats first(ReportCreatedDate) AS ReportCreatedDate by report_id ]
| table report_guid,time_interval,ReportCreatedDate
| fillnull value="Missing"
By joining search 1 type=outer [search 2 ]
gives me Extra reports which are present in search1 and not present in search2
By joining search 2 type=outer [search 1 ]
gives me missing reports which are present in search2 and not present in search1
Is there any way to optimize them instead of running alternately?
Thank you
Search 2 optimized. Stay away of subsearches. Stats is much faster than dedup
index=offered_reports earliest=1522540800 sourcetype=splunkoffer Server_Name=denver OR (index=offered_reports earliest=1522540800 Master="master_splunk")
| eval offer=lower(offer), Offer_Given=lower(Offer_Given)
| stats values(*) as * by reportname time_interval offer Offer_Given
| fields reportname time_interval
If you will give me samples from each set of data and then mockups of what you need, then I will answer your question.