Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Is this the fastest way? (sub search?)

howyagoin
Contributor
‎02-21-2012 06:33 PM

Hi,

I get the feeling that there's a better/faster way for me to do what I'm doing. I have a query such as this:

index=bigger [ search index=smaller source="stuff.txt" | fields data | rename data as query ] | table EventTime,info

What I'm looking for is the "data" field in the "smaller" index and "stuff.txt" source anywhere in the "bigger" index. The "data" field happens to occur in the "info" fields in the "bigger" database...

Is this the best way to do such a query, or is there a better option that I'm overlooking? I thought about a "join" but fields are not named consistently - probably fixable, but, wasn't sure which approach is the fastest.

Thanks.

Tags (2)
0 Karma
Reply

gkanapathy
Splunk Employee
Splunk Employee
‎02-21-2012 10:14 PM

almost.

provided there are no duplicate values of data in stuff.txt, and that there are no more than 10,000 distinct values, then this is the fastest way:

index=bigger [ search index=smaller source="stuff.txt" | dedup data | fields data | rename data as info ] | table EventTime,info

Note the dedup and the rename of the field to info, which you said was the field you were looking for. In version 4.3+, you can do the following with the return command, which is slightly easier to read:

index=bigger [ search index=smaller source=stuff.txt | return 10000 info=data ] | table EventTime,info
0 Karma
Reply

howyagoin
Contributor
‎02-22-2012 12:36 AM

Thanks - the data was already unique in the "stuff.txt" file, so the dedup didn't add much. For some reason "return" seems to take significantly longer than my existing approach - as does the renaming of "data" as "info"...huh.

0 Karma
Reply
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...