Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Need to modify the search by eliminating append commands.is it possible?

Veeru
Path Finder
‎01-13-2022 05:01 AM

index IN (A,B) sourcetype IN (A,B) earliest=-12h latest=@m
| transaction UUID keepevicted=true
| eval ReportKey="Today"
| append [search index IN (A,B) sourcetype IN (A,B) earliest=-12h-1w latest=@m-1w
| transaction UUID keepevicted=true
| eval ReportKey="LastWeek"
| eval _time=_time+60*60*24*7] 
| timechart span=30m count(linecount) as Volume by ReportKey | fields _time,Today,LastWeek

as this search taking more time to load so i am trying to modify the search can you please me with this.

Thanks in advance
Veerendra

Labels (4)
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎01-13-2022 05:16 AM

Are you sure it's append that's taking more time and not transaction?  The transaction command tends to be more inefficient.  Perhaps this will be a quicker way to plot volume.

index IN (A,B) sourcetype IN (A,B) earliest=-12h latest=@m
| bin span=30m _time
```Count transactions by counting the number of unique UUID values```
| stats dc(UUID) by _time
| eval ReportKey="Today"
| append [search index IN (A,B) sourcetype IN (A,B) earliest=-12h-1w latest=@m-1w
  | bin span=30m _time
  | stats dc(UUID) by _time
  | eval ReportKey="LastWeek"
  | eval _time=_time+60*60*24*7] 
| timechart span=30m count as Volume by ReportKey

 

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

Veeru
Path Finder
‎01-13-2022 05:36 AM

@richgalloway 

But that gives me 0 count,it’s not giving me the exact results

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎01-13-2022 08:27 AM

Let's break it down a little.  Does this part produce correct results?

index IN (A,B) sourcetype IN (A,B) earliest=-12h latest=@m
| bin span=30m _time
| stats dc(UUID) by _time
---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

Veeru
Path Finder
‎01-17-2022 02:00 AM 
index IN (A,B) sourcetype IN (A,B) earliest=-12h latest=@m
| bin span=30m _time
| stats dc(UUID) by _time

 this giving exact results but  when i append with but search i.e

index in (a,b) sourcetype in (a,b) earliest=-12h latest=@m

|bin span =30m _time

|stats dc(Uuid) as today  by _time

|append[ |search index in (a,b) sourcetype in (a,b) earliest=-12h -1w latest=@m-1w

|eval _time=_time+60*60*24*14

|bin span =30m _time

|stats dc(Uuid) as lastweek by _time] |fields today,lastweek

 

In this query for today i am geeting exact output but for lastweek i am getting 0 results.

 

please help me out

 

thank you in advance

veeru

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎01-17-2022 09:57 AM

The "IN" keyword must be capitalized.  Also, consider using the relative_time function instead of maths.

index IN (a,b) sourcetype in (a,b) earliest=-12h latest=@m
|bin span =30m _time
|stats dc(Uuid) as today  by _time
|append[ |search index IN (a,b) sourcetype in (a,b) earliest=-12h -1w latest=@m-1w
  |eval _time=relative_time(_time, "+1w")
  |bin span =30m _time
  |stats dc(Uuid) as lastweek by _time] 
|fields today,lastweek

 

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

Veeru
Path Finder
‎01-17-2022 01:39 AM

Till stats count(uuid) is working but i want  by reportkey

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability as Code: From Zero to Dashboard

For the details on what Self-Service Observability and Observability as Code is, we have some awesome content ...

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Shape the Future of Splunk: Join the Product Research Lab!

Join the Splunk Product Research Lab and connect with us in the Slack channel #product-research-lab to get ...