Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Is this the fastest way? (sub search?)

howyagoin
Contributor
‎02-21-2012 06:33 PM

Hi,

I get the feeling that there's a better/faster way for me to do what I'm doing. I have a query such as this:

index=bigger [ search index=smaller source="stuff.txt" | fields data | rename data as query ] | table EventTime,info

What I'm looking for is the "data" field in the "smaller" index and "stuff.txt" source anywhere in the "bigger" index. The "data" field happens to occur in the "info" fields in the "bigger" database...

Is this the best way to do such a query, or is there a better option that I'm overlooking? I thought about a "join" but fields are not named consistently - probably fixable, but, wasn't sure which approach is the fastest.

Thanks.

Tags (2)
0 Karma
Reply

gkanapathy
Splunk Employee
Splunk Employee
‎02-21-2012 10:14 PM

almost.

provided there are no duplicate values of data in stuff.txt, and that there are no more than 10,000 distinct values, then this is the fastest way:

index=bigger [ search index=smaller source="stuff.txt" | dedup data | fields data | rename data as info ] | table EventTime,info

Note the dedup and the rename of the field to info, which you said was the field you were looking for. In version 4.3+, you can do the following with the return command, which is slightly easier to read:

index=bigger [ search index=smaller source=stuff.txt | return 10000 info=data ] | table EventTime,info
0 Karma
Reply

howyagoin
Contributor
‎02-22-2012 12:36 AM

Thanks - the data was already unique in the "stuff.txt" file, so the dedup didn't add much. For some reason "return" seems to take significantly longer than my existing approach - as does the renaming of "data" as "info"...huh.

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Enterprise Security 8.x: The Essential Upgrade for Threat Detection, ...

 Prepare to elevate your security operations with the powerful upgrade to Splunk Enterprise Security 8.x! This ...

Get Early Access to AI Playbook Authoring: Apply for the Alpha Private Preview ...

Passionate about security automation? Apply now to our AI Playbook Authoring Alpha private preview ...

Reduce and Transform Your Firewall Data with Splunk Data Management

Managing high-volume firewall data has always been a challenge. Noisy events and verbose traffic logs often ...