Join or Subsearch performance

MaryvonneMB · ‎03-11-2019

Hi all,

I have a performance question about "join" and "subsearch".
Even join is a ressource-guzzler command I saw that sometimes it works better than a subsearch:

for example:

Query A =>  index=my_index [search index=other_one earliest=-1d@d|fields field1 |dedup field1|table field1]
Query B => index=my_index |join type=inner max=1 field1 [search index=other_index earliest=-1d@d |fields field1 |dedup field1|table field1]

in "my_index" I have about 20 millions of datas. in "other_index" + earliest=-1d@d I have about 80 000 datas. In this case the query A is faster than query B.
But if i have more than 300 000 datas in "other_index" + earliest=-1d@d, then query B is faster query A.

Does anyone have an explanation?

Thanks 🙂

adonio · ‎03-15-2019

try this:

Query A =>  earliest=-2d@d latest=-1d@d index=my_index [search index=other_one earliest=-1d@d|fields field1 |dedup field1|table field1]
 Query B => earliest=-2d@d latest=-1d@d index=my_index |join type=inner max=1 field1 [search index=other_index earliest=-1d@d |fields field1 |dedup field1|table field1]

is there still a difference?

Join or Subsearch performance

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

Splunk Community Badges!

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

Join the Conversation

Join or Subsearch performance

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

Splunk Community Badges!

[Puzzles] Solve, Learn, Repeat: Matching cron expressions