Splunk Search
Highlighted

Is there any way to optimize post process searches instead of running them alternately?

New Member

Search 1 is :

index=reportstore earliest=-28d@d latest=@d sourcetype=reportstore_logs host=denver
| eval ReportCreatedDate=strftime(ReportCreatedDate, "%D %T") 
| stats first(ReportCreatedDate) AS ReportCreatedDate by report_id 
| rename report_id as reportname

search 2 already has a join in it but I still take this is as one search :

index=offered_reports earliest=1522540800 sourcetype=splunkoffer Server_Name=denver 
| table offer 
| dedup offer 
| eval offer=lower(offer) 
| rename offer as Offer_Given 
| join max=0 Offer_Given 
[ search index=offered_reports earliest=1522540800 Master="master_splunk" 
| eval Offer_Given=lower(Offer_Given) ] 
| dedup reportname time_interval 
| table reportname time_interval

The Full Searches:

first one;

index=reportstore earliest=-28d@d latest=@d sourcetype=reportstore_logs host=denver
| eval ReportCreatedDate=strftime(ReportCreatedDate, "%D %T") 
| stats first(ReportCreatedDate) AS ReportCreatedDate by report_id 
| rename report_id as reportname 
| join type=outer reportname 
[ index=offered_reports earliest=1522540800 sourcetype=splunkoffer Server_Name=denver 
| table offer 
| dedup offer 
| eval offer=lower(offer) 
| rename offer as Offer_Given 
| join max=0 Offer_Given 
[ search index=offered_reports earliest=1522540800 Master="master_splunk" 
| eval Offer_Given=lower(Offer_Given) ] 
| dedup reportname time_interval 
| table reportname time_interval ] 
| table reportname,time_interval,ReportCreatedDate 
| fillnull value="Extra_reports"

Second one:

index=offered_reports earliest=1522540800 sourcetype=splunkoffer Server_Name=denver 
| table offer 
| dedup offer 
| eval offer=lower(offer) 
| rename offer as Offer_Given 
| join max=0 Offer_Given 
[ search index=offered_reports earliest=1522540800 Master="master_splunk" 
| eval Offer_Given=lower(Offer_Given) ] 
| dedup reportname time_interval 
| table reportname time_interval 
| rename reportname as report_guid
| join type=outer report_guid[search index=reportstore earliest=-28d@d latest=@d sourcetype=reportstore_logs host=denver
| eval ReportCreatedDate=strftime(ReportCreatedDate, "%D %T") 
| stats first(ReportCreatedDate) AS ReportCreatedDate by report_id ]
| table report_guid,time_interval,ReportCreatedDate
| fillnull value="Missing"

By joining search 1 type=outer [search 2 ] gives me Extra reports which are present in search1 and not present in search2

By joining search 2 type=outer [search 1 ] gives me missing reports which are present in search2 and not present in search1

Is there any way to optimize them instead of running alternately?

Thank you

0 Karma
Highlighted

Re: Is there any way to optimize post process searches instead of running them alternately?

Esteemed Legend

If you will give me samples from each set of data and then mockups of what you need, then I will answer your question.

0 Karma
Highlighted

Re: Is there any way to optimize post process searches instead of running them alternately?

Contributor

Search 2 optimized. Stay away of subsearches. Stats is much faster than dedup

index=offeredreports earliest=1522540800 sourcetype=splunkoffer ServerName=denver OR (index=offeredreports earliest=1522540800 Master="mastersplunk")
| eval offer=lower(offer), OfferGiven=lower(OfferGiven)
| stats values(*) as * by reportname timeinterval offer OfferGiven
| fields reportname time_interval

0 Karma