Splunk Search

Is there any way to optimize post process searches instead of running them alternately?

akhil36109
New Member

Search 1 is :

index=reportstore earliest=-28d@d latest=@d sourcetype=reportstore_logs host=denver
| eval ReportCreatedDate=strftime(ReportCreatedDate, "%D %T") 
| stats first(ReportCreatedDate) AS ReportCreatedDate by report_id 
| rename report_id as reportname

search 2 already has a join in it but I still take this is as one search :

index=offered_reports earliest=1522540800 sourcetype=splunkoffer Server_Name=denver 
| table offer 
| dedup offer 
| eval offer=lower(offer) 
| rename offer as Offer_Given 
| join max=0 Offer_Given 
[ search index=offered_reports earliest=1522540800 Master="master_splunk" 
| eval Offer_Given=lower(Offer_Given) ] 
| dedup reportname time_interval 
| table reportname time_interval

The Full Searches:

first one;

index=reportstore earliest=-28d@d latest=@d sourcetype=reportstore_logs host=denver
| eval ReportCreatedDate=strftime(ReportCreatedDate, "%D %T") 
| stats first(ReportCreatedDate) AS ReportCreatedDate by report_id 
| rename report_id as reportname 
| join type=outer reportname 
[ index=offered_reports earliest=1522540800 sourcetype=splunkoffer Server_Name=denver 
| table offer 
| dedup offer 
| eval offer=lower(offer) 
| rename offer as Offer_Given 
| join max=0 Offer_Given 
[ search index=offered_reports earliest=1522540800 Master="master_splunk" 
| eval Offer_Given=lower(Offer_Given) ] 
| dedup reportname time_interval 
| table reportname time_interval ] 
| table reportname,time_interval,ReportCreatedDate 
| fillnull value="Extra_reports"

Second one:

index=offered_reports earliest=1522540800 sourcetype=splunkoffer Server_Name=denver 
| table offer 
| dedup offer 
| eval offer=lower(offer) 
| rename offer as Offer_Given 
| join max=0 Offer_Given 
[ search index=offered_reports earliest=1522540800 Master="master_splunk" 
| eval Offer_Given=lower(Offer_Given) ] 
| dedup reportname time_interval 
| table reportname time_interval 
| rename reportname as report_guid
| join type=outer report_guid[search index=reportstore earliest=-28d@d latest=@d sourcetype=reportstore_logs host=denver
| eval ReportCreatedDate=strftime(ReportCreatedDate, "%D %T") 
| stats first(ReportCreatedDate) AS ReportCreatedDate by report_id ]
| table report_guid,time_interval,ReportCreatedDate
| fillnull value="Missing"

By joining search 1 type=outer [search 2 ] gives me Extra reports which are present in search1 and not present in search2

By joining search 2 type=outer [search 1 ] gives me missing reports which are present in search2 and not present in search1

Is there any way to optimize them instead of running alternately?

Thank you

0 Karma

valiquet
Contributor

Search 2 optimized. Stay away of subsearches. Stats is much faster than dedup

index=offered_reports earliest=1522540800 sourcetype=splunkoffer Server_Name=denver OR (index=offered_reports earliest=1522540800 Master="master_splunk")
| eval offer=lower(offer), Offer_Given=lower(Offer_Given)
| stats values(*) as * by reportname time_interval offer Offer_Given
| fields reportname time_interval

0 Karma

woodcock
Esteemed Legend

If you will give me samples from each set of data and then mockups of what you need, then I will answer your question.

0 Karma
Get Updates on the Splunk Community!

App Building 101 - Build Your First App!

WATCH RECORDING NOW   Tech Talk: App Dev Edition Splunk has tons of out-of-the-box functionality, and you’ve ...

Introducing support for Amazon Data Firehose in Splunk Edge Processor

We’re excited to announce a powerful update to Splunk Data Management with added support for Amazon Data ...

The Observability Round-Up: September 2024

What’s up Splunk Community! Welcome to the latest edition of the Observability Round-Up, a monthly series in ...