Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Optimize my search

jyab6z
Path Finder
‎03-21-2019 06:40 AM

This is my search:

Function="- Parts::GetPartSection =>" | rex "maingroupNo\>(?.+)\\(?.+)\\(?.+)\" | convert timeformat="%H:%M:%S" dur2sec(TimeInSec) | stats count first(TimeInSec) AS endTime last(TimeInSec) AS startTime by UserID DATE maingroup subgroup | appendcols [search Function="- Parts::GetPartSection =>" | rex "maingroupNo\>(?.+)\\(?.+)\\(?.+)\"  | stats list(secId) as secId_new by UserID DATE maingroup subgroup] | where count > 5 | eval Time_diff = abs(endTime - startTime) | eval avgTime_count = Time_diff/count | where avgTime_count < 20 | where maingroup=="03" AND subgroup=="26" | mvexpand secId_new | stats count by secId_new | rename secId_new as Avsnitt

THEN got this error when it runs over 1 year's data.
alt text

Any ideas?
Thanks in advance!

Preview file
33 KB
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎03-21-2019 08:44 AM

The subsearch is trying to process too much data. Why do you even need it? You should be able to combine the two searches into a single search. See if this accomplishes the same task.

Function="- Parts::GetPartSection =>" | rex "maingroupNo\>(?.+)\\(?.+)\\(?.+)\" | convert timeformat="%H:%M:%S" dur2sec(TimeInSec) | stats count first(TimeInSec) AS endTime, last(TimeInSec) AS startTime, list(secId) as secId_new by UserID DATE maingroup subgroup | where count > 5 | eval Time_diff = abs(endTime - startTime) | eval avgTime_count = Time_diff/count | where avgTime_count < 20 | where maingroup=="03" AND subgroup=="26" | mvexpand secId_new | stats count by secId_new | rename secId_new as Avsnitt
---
If this reply helps you, Karma would be appreciated.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎03-21-2019 08:44 AM

The subsearch is trying to process too much data. Why do you even need it? You should be able to combine the two searches into a single search. See if this accomplishes the same task.

Function="- Parts::GetPartSection =>" | rex "maingroupNo\>(?.+)\\(?.+)\\(?.+)\" | convert timeformat="%H:%M:%S" dur2sec(TimeInSec) | stats count first(TimeInSec) AS endTime, last(TimeInSec) AS startTime, list(secId) as secId_new by UserID DATE maingroup subgroup | where count > 5 | eval Time_diff = abs(endTime - startTime) | eval avgTime_count = Time_diff/count | where avgTime_count < 20 | where maingroup=="03" AND subgroup=="26" | mvexpand secId_new | stats count by secId_new | rename secId_new as Avsnitt
---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

jyab6z
Path Finder
‎03-22-2019 12:11 AM

Ohh, thank you!
It helps!!!

0 Karma
Reply
Get Updates on the Splunk Community!

.conf25 Community Recap

Hello Splunkers, And just like that, .conf25 is in the books! What an incredible few days — full of learning, ...

Splunk App Developers | .conf25 Recap & What’s Next

If you stopped by the Builder Bar at .conf25 this year, thank you! The retro tech beer garden vibes were ...

Congratulations to the 2025-2026 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...