Splunk Search

Multiple joins cause slowness in splunk dashboard?Is any other way to make faster?

karthi2809
Builder

Multiple joins cause slowness in splunk dashboard?Is any other way to make faster?

how  can we club those joins ?

 

index="xxx" applicationName="api" environment=$env$ timestamp correlationId trace                          message ("Ondemand Started*" OR "Expense Process started") |rename sourceFileName as SourceFileName content.JobName as JobName
| eval "FileName/JobName"= coalesce(SourceFileName,JobName)
| rename timestamp as Timestamp correlationId as CorrelationId tracePoint as Tracepoint message as Message
| eval JobType=case(like('Message',"%Ondemand Started%"),"OnDemand",like('Message',"Expense Process started%"),"Scheduled", true() , "Unknown")
| eval Message=trim(Message,"\"")
| table Timestamp CorrelationId Tracepoint JobType "FileName/JobName" Message
| join CorrelationId type=left


[ search index="xxx" applicationName="api" trace=ERROR
| rename correlationId as CorrelationId traceas TracePoint message as StatusMessage
| dedup CorrelationId
| table CorrelationId TracePoint StatusMessage]
| table Timestamp CorrelationId TracePoint JobType "FileName/JobName" StatusMessage


| join CorrelationId type=left
[ search index="xxx" applicationName="api" message="*Before Calling flow archive-Concur*"
| rename correlationId as CorrelationId content.loggerPayload.archiveFileName as ArchivedFileName
| table CorrelationId ArchivedFileName]
| table Timestamp CorrelationId Tracepoint JobType "FileName/JobName" ArchivedFileName StatusMessage

 

 

Labels (1)
0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @karthi2809,

as I said in the previous answer: don't use join, Splunk isn't a DB use stats or something similar to this

index="xxx" applicationName="api" (environment=$env$ timestamp correlationId trace message ("Ondemand Started*" OR "Expense Process started") OR (trace=ERROR) OR (message="*Before Calling flow archive-Concur*")
| rename sourceFileName as SourceFileName content.JobName as JobName
| eval "FileName/JobName"= coalesce(SourceFileName,JobName)
| rename timestamp as Timestamp correlationId as CorrelationId tracePoint as Tracepoint message as Message
| eval JobType=case(like('Message',"%Ondemand Started%"), "OnDemand", like('Message',"Expense Process started%"), "Scheduled", true(), "Unknown")
| eval Message=trim(Message,"\"")
| rename correlationId as CorrelationId traceas TracePoint message as StatusMessage
| rename 
   correlationId AS CorrelationId 
   content.loggerPayload.archiveFileName AS ArchivedFileName
| stats
   earliest(Timestamp) AS Timestamp
   values(Tracepoint) AS Tracepoint
   values(JobType) AS JobType
   values("FileName/JobName") AS "FileName/JobName"
   values(Message) AS Message
   values(StatusMessage) AS StatusMessage
   values(ArchivedFileName) AS ArchivedFileName
   BY CorrelationId

in other words: put all the searches in OR in the main search, use all the renames and evals, and at east correlate results using the join key in a stats command.

If you want some additional field, add it to the stats command.

Ciao.

Giuseppe

0 Karma
Get Updates on the Splunk Community!

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...

March Community Office Hours Security Series Uncovered!

Hello Splunk Community! In March, Splunk Community Office Hours spotlighted our fabulous Splunk Threat ...

Stay Connected: Your Guide to April Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars in April. This post ...