Join or Subsearch performance

MaryvonneMB · ‎03-11-2019

Hi all,

I have a performance question about "join" and "subsearch".
Even join is a ressource-guzzler command I saw that sometimes it works better than a subsearch:

for example:

Query A =>  index=my_index [search index=other_one earliest=-1d@d|fields field1 |dedup field1|table field1]
Query B => index=my_index |join type=inner max=1 field1 [search index=other_index earliest=-1d@d |fields field1 |dedup field1|table field1]

in "my_index" I have about 20 millions of datas. in "other_index" + earliest=-1d@d I have about 80 000 datas. In this case the query A is faster than query B.
But if i have more than 300 000 datas in "other_index" + earliest=-1d@d, then query B is faster query A.

Does anyone have an explanation?

Thanks 🙂

adonio · ‎03-15-2019

try this:

Query A =>  earliest=-2d@d latest=-1d@d index=my_index [search index=other_one earliest=-1d@d|fields field1 |dedup field1|table field1]
 Query B => earliest=-2d@d latest=-1d@d index=my_index |join type=inner max=1 field1 [search index=other_index earliest=-1d@d |fields field1 |dedup field1|table field1]

is there still a difference?

Join or Subsearch performance

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!