Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Optimizing subquery with inputlookup

krbalaji77
Explorer
‎06-28-2023 08:28 AM

I have this query to find hosts from a lookup that have zero events. There are about a 100 hosts and I can see that the query performance is slow with the use of subquery this way. 

Any ideas to improve this?

| inputlookup lookup.csv
| join type=outer [search index=os sourcetype=ps "abc.pid" OR "abc.bin"
| stats count as heartbeat by host ]
| fillnull heartbeat value=0
| where heartbeat=0
| stats values(host) as failed_hosts

Labels (3)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎06-28-2023 08:35 AM

Hi @krbalaji77,

the error is to use the join command that must be used only when there isn't any other solution.

Splunk isn't a database!

In addition you used the search as subquery and you have the limit of 50,000 results.

You should use a different approach using your lookup:

index=os sourcetype=ps "abc.pid" OR "abc.bin"
| eval host=lower(host)
| stats count BY host
| append [ | inputlookup lookup.csv | eval host=lower(host), count=0 | fields host count ]
| join type=outer [search  ]
| stats sum(count) AS total BY host
| where total=0

This is a more performant search.

Ciao.

Giuseppe

View solution in original post

Reply
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎06-28-2023 08:35 AM

Hi @krbalaji77,

the error is to use the join command that must be used only when there isn't any other solution.

Splunk isn't a database!

In addition you used the search as subquery and you have the limit of 50,000 results.

You should use a different approach using your lookup:

index=os sourcetype=ps "abc.pid" OR "abc.bin"
| eval host=lower(host)
| stats count BY host
| append [ | inputlookup lookup.csv | eval host=lower(host), count=0 | fields host count ]
| join type=outer [search  ]
| stats sum(count) AS total BY host
| where total=0

This is a more performant search.

Ciao.

Giuseppe

Reply
Solved! Jump to solution

krbalaji77
Explorer
‎06-28-2023 09:38 AM

Thank you for the quick response @gcusello 

so, we do still need to do a join in this case right meaning the append itself wouldnt do it?

also - what does this do ?

| join type=outer [search  ]

 

Tags (2)
0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎06-29-2023 12:35 AM

Hi @krbalaji77,

sorry! it was a typo:

index=os sourcetype=ps "abc.pid" OR "abc.bin"
| eval host=lower(host)
| stats count BY host
| append [ | inputlookup lookup.csv | eval host=lower(host), count=0 | fields host count ]
| stats sum(count) AS total BY host
| where total=0

Ciao.

Giuseppe

0 Karma
Reply
Get Updates on the Splunk Community!

New This Month in Splunk Observability Cloud - Metrics Usage Analytics, Enhanced K8s ...

The latest enhancements across the Splunk Observability portfolio deliver greater flexibility, better data and ...

Alerting Best Practices: How to Create Good Detectors

At their best, detectors and the alerts they trigger notify teams when applications aren’t performing as ...

Discover Powerful New Features in Splunk Cloud Platform: Enhanced Analytics, ...

Hey Splunky people! We are excited to share the latest updates in Splunk Cloud Platform 9.3.2408. In this ...