Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Need to modify the search by eliminating append commands.is it possible?

Veeru
Path Finder
‎01-13-2022 05:01 AM

index IN (A,B) sourcetype IN (A,B) earliest=-12h latest=@m
| transaction UUID keepevicted=true
| eval ReportKey="Today"
| append [search index IN (A,B) sourcetype IN (A,B) earliest=-12h-1w latest=@m-1w
| transaction UUID keepevicted=true
| eval ReportKey="LastWeek"
| eval _time=_time+60*60*24*7] 
| timechart span=30m count(linecount) as Volume by ReportKey | fields _time,Today,LastWeek

as this search taking more time to load so i am trying to modify the search can you please me with this.

Thanks in advance
Veerendra

Labels (5)
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎01-13-2022 05:16 AM

Are you sure it's append that's taking more time and not transaction?  The transaction command tends to be more inefficient.  Perhaps this will be a quicker way to plot volume.

index IN (A,B) sourcetype IN (A,B) earliest=-12h latest=@m
| bin span=30m _time
```Count transactions by counting the number of unique UUID values```
| stats dc(UUID) by _time
| eval ReportKey="Today"
| append [search index IN (A,B) sourcetype IN (A,B) earliest=-12h-1w latest=@m-1w
  | bin span=30m _time
  | stats dc(UUID) by _time
  | eval ReportKey="LastWeek"
  | eval _time=_time+60*60*24*7] 
| timechart span=30m count as Volume by ReportKey

 

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

Veeru
Path Finder
‎01-13-2022 05:36 AM

@richgalloway 

But that gives me 0 count,it’s not giving me the exact results

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎01-13-2022 08:27 AM

Let's break it down a little.  Does this part produce correct results?

index IN (A,B) sourcetype IN (A,B) earliest=-12h latest=@m
| bin span=30m _time
| stats dc(UUID) by _time
---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

Veeru
Path Finder
‎01-17-2022 02:00 AM 
index IN (A,B) sourcetype IN (A,B) earliest=-12h latest=@m
| bin span=30m _time
| stats dc(UUID) by _time

 this giving exact results but  when i append with but search i.e

index in (a,b) sourcetype in (a,b) earliest=-12h latest=@m

|bin span =30m _time

|stats dc(Uuid) as today  by _time

|append[ |search index in (a,b) sourcetype in (a,b) earliest=-12h -1w latest=@m-1w

|eval _time=_time+60*60*24*14

|bin span =30m _time

|stats dc(Uuid) as lastweek by _time] |fields today,lastweek

 

In this query for today i am geeting exact output but for lastweek i am getting 0 results.

 

please help me out

 

thank you in advance

veeru

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎01-17-2022 09:57 AM

The "IN" keyword must be capitalized.  Also, consider using the relative_time function instead of maths.

index IN (a,b) sourcetype in (a,b) earliest=-12h latest=@m
|bin span =30m _time
|stats dc(Uuid) as today  by _time
|append[ |search index IN (a,b) sourcetype in (a,b) earliest=-12h -1w latest=@m-1w
  |eval _time=relative_time(_time, "+1w")
  |bin span =30m _time
  |stats dc(Uuid) as lastweek by _time] 
|fields today,lastweek

 

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

Veeru
Path Finder
‎01-17-2022 01:39 AM

Till stats count(uuid) is working but i want  by reportkey

0 Karma
Reply
Get Updates on the Splunk Community!

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...