Splunk Search

Making field extractor searches faster

smhsplunk
Communicator

How to extract extracted fields faster

When I search for a field in the search window its very fast (although it returns me the entire event).

But when I use the field extractor to convert it into a keyword (which is a part of the event)
and look for the keyword in a search then its very slow

    index=main host="*" 
    |  search * keyword12!="NULL" 
    | dedup host
    | table keyword12, host

Trying to find the matches with keyword12 in the hosts.
How can I make this fast ? Am I using the above search properly ?

0 Karma
1 Solution

twinspop
Influencer

There is no benefit to searching for something, then re-running search in a new command (after a pipe). And bare asterisks serve no purpose at all.

index=main keyword12!="NULL" 
| dedup host 
| table keyword12, host

This will return the same results as your search and should be a lot more efficient.

EDIT: If at all possible avoid negated searching. In other words, try to turn the keyword12 NOT EQUAL term into a positive match, or a series of positive matches using OR. Negative matching is far less efficient than positive matching. keyword12=something OR keyword12=somethingelse OR keyword12=otherthing

View solution in original post

hunters_splunk
Splunk Employee
Splunk Employee

Hi smhsplunk,

I'm wondering if you could just put your filter keyword12!=NULL in the main query rather than after the pipeline. Please try this:

index=main keyword12!=NULL | dedup host keyword12

Hope it helps. Thanks!
Hunter Shen

twinspop
Influencer

There is no benefit to searching for something, then re-running search in a new command (after a pipe). And bare asterisks serve no purpose at all.

index=main keyword12!="NULL" 
| dedup host 
| table keyword12, host

This will return the same results as your search and should be a lot more efficient.

EDIT: If at all possible avoid negated searching. In other words, try to turn the keyword12 NOT EQUAL term into a positive match, or a series of positive matches using OR. Negative matching is far less efficient than positive matching. keyword12=something OR keyword12=somethingelse OR keyword12=otherthing

smhsplunk
Communicator

One of the best Splunk advices I got so far!!! removing != and putting the possible values in OR makes things way faster

0 Karma

twinspop
Influencer

Glad I could help. Cheers!

0 Karma
Get Updates on the Splunk Community!

Splunk Education - Fast Start Program!

Welcome to Splunk Education! Splunk training programs are designed to enable you to get started quickly and ...

Five Subtly Different Ways of Adding Manual Instrumentation in Java

You can find the code of this example on GitHub here. Please feel free to star the repository to keep in ...

New Splunk APM Enhancements Help Troubleshoot Your MySQL and NoSQL Databases Faster

Splunk Observability has two new enhancements to make it quicker and easier to troubleshoot slow or frequently ...