Splunk Search

Is there any way to optimize post process searches instead of running them alternately?

akhil36109
New Member

Search 1 is :

index=reportstore earliest=-28d@d latest=@d sourcetype=reportstore_logs host=denver
| eval ReportCreatedDate=strftime(ReportCreatedDate, "%D %T") 
| stats first(ReportCreatedDate) AS ReportCreatedDate by report_id 
| rename report_id as reportname

search 2 already has a join in it but I still take this is as one search :

index=offered_reports earliest=1522540800 sourcetype=splunkoffer Server_Name=denver 
| table offer 
| dedup offer 
| eval offer=lower(offer) 
| rename offer as Offer_Given 
| join max=0 Offer_Given 
[ search index=offered_reports earliest=1522540800 Master="master_splunk" 
| eval Offer_Given=lower(Offer_Given) ] 
| dedup reportname time_interval 
| table reportname time_interval

The Full Searches:

first one;

index=reportstore earliest=-28d@d latest=@d sourcetype=reportstore_logs host=denver
| eval ReportCreatedDate=strftime(ReportCreatedDate, "%D %T") 
| stats first(ReportCreatedDate) AS ReportCreatedDate by report_id 
| rename report_id as reportname 
| join type=outer reportname 
[ index=offered_reports earliest=1522540800 sourcetype=splunkoffer Server_Name=denver 
| table offer 
| dedup offer 
| eval offer=lower(offer) 
| rename offer as Offer_Given 
| join max=0 Offer_Given 
[ search index=offered_reports earliest=1522540800 Master="master_splunk" 
| eval Offer_Given=lower(Offer_Given) ] 
| dedup reportname time_interval 
| table reportname time_interval ] 
| table reportname,time_interval,ReportCreatedDate 
| fillnull value="Extra_reports"

Second one:

index=offered_reports earliest=1522540800 sourcetype=splunkoffer Server_Name=denver 
| table offer 
| dedup offer 
| eval offer=lower(offer) 
| rename offer as Offer_Given 
| join max=0 Offer_Given 
[ search index=offered_reports earliest=1522540800 Master="master_splunk" 
| eval Offer_Given=lower(Offer_Given) ] 
| dedup reportname time_interval 
| table reportname time_interval 
| rename reportname as report_guid
| join type=outer report_guid[search index=reportstore earliest=-28d@d latest=@d sourcetype=reportstore_logs host=denver
| eval ReportCreatedDate=strftime(ReportCreatedDate, "%D %T") 
| stats first(ReportCreatedDate) AS ReportCreatedDate by report_id ]
| table report_guid,time_interval,ReportCreatedDate
| fillnull value="Missing"

By joining search 1 type=outer [search 2 ] gives me Extra reports which are present in search1 and not present in search2

By joining search 2 type=outer [search 1 ] gives me missing reports which are present in search2 and not present in search1

Is there any way to optimize them instead of running alternately?

Thank you

0 Karma

valiquet
Contributor

Search 2 optimized. Stay away of subsearches. Stats is much faster than dedup

index=offered_reports earliest=1522540800 sourcetype=splunkoffer Server_Name=denver OR (index=offered_reports earliest=1522540800 Master="master_splunk")
| eval offer=lower(offer), Offer_Given=lower(Offer_Given)
| stats values(*) as * by reportname time_interval offer Offer_Given
| fields reportname time_interval

0 Karma

woodcock
Esteemed Legend

If you will give me samples from each set of data and then mockups of what you need, then I will answer your question.

0 Karma
Get Updates on the Splunk Community!

New in Observability - Improvements to Custom Metrics SLOs, Log Observer Connect & ...

The latest enhancements to the Splunk observability portfolio deliver improved SLO management accuracy, better ...

Improve Data Pipelines Using Splunk Data Management

  Register Now   This Tech Talk will explore the pipeline management offerings Edge Processor and Ingest ...

3-2-1 Go! How Fast Can You Debug Microservices with Observability Cloud?

Register Join this Tech Talk to learn how unique features like Service Centric Views, Tag Spotlight, and ...