Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Optimizing the search

abhi04
Communicator
‎03-13-2024 10:53 AM

Hi All,

 

How can I optimize the below query? Can we convert it to tstats?

 

index=abc host=def* stalled
| rex field=_raw "symbol (?<symbol>.*) /"
| eval hourofday = strftime(_time, "%H")
| where NOT (hourofday>2 AND hourofday <= 4)
| timechart dc(symbol) span=15m
| eventstats avg("count") as avg stdev("count") as stdev
| eval lowerBound=-1, upperBound=(avg+stdev*exact(4))
| eval isOutlier=if('count' < lowerBound OR 'count' > upperBound, 1, 0)
| fields _time, "count", lowerBound, upperBound, isOutlier, *
| sort -_time
| head 1
| where isOutlier=1
Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

bowesmana
SplunkTrust
SplunkTrust
‎03-13-2024 03:53 PM

 

Use TERM(stalled), as that will help filter the initial data volume retrieved

The order of commands is important - you are doing the rex before the hour constraint - change the order.

You may already have a field called date_hour (it is often extracted by default - check). If so you can put that in the search 

index=abc host=def* stalled (date_hour < 3 OR date_hour > 4)
| rex field=_raw "symbol (?<symbol>.*) /"
| timechart dc(symbol) span=15m

Replace the NOT with a positive constraint, i.e. check that the hour is < 3 or > 4 rather than NOT >2 AND <4

You can't convert it to tstats unless symbol becomes an indexed field.

 

View solution in original post

Reply
Solved! Jump to solution

abhi04
Communicator
‎03-13-2024 05:46 PM

This is awesome, thanks @bowesmana . And, yes, it was a type for the "count" 🙂

0 Karma
Reply
Solved! Jump to solution

bowesmana
SplunkTrust
SplunkTrust
‎03-13-2024 03:55 PM

and there is a basic problem with that search anyway, which is that you are using a field called "count", which does not exist - your timechart will produce a field called dc(symbol). I assume that is a typo and that your real search does dc(symbol) as count

 

0 Karma
Reply
Solved! Jump to solution
Solution

bowesmana
SplunkTrust
SplunkTrust
‎03-13-2024 03:53 PM

 

Use TERM(stalled), as that will help filter the initial data volume retrieved

The order of commands is important - you are doing the rex before the hour constraint - change the order.

You may already have a field called date_hour (it is often extracted by default - check). If so you can put that in the search 

index=abc host=def* stalled (date_hour < 3 OR date_hour > 4)
| rex field=_raw "symbol (?<symbol>.*) /"
| timechart dc(symbol) span=15m

Replace the NOT with a positive constraint, i.e. check that the hour is < 3 or > 4 rather than NOT >2 AND <4

You can't convert it to tstats unless symbol becomes an indexed field.

 

Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Register for .conf25!
Get Updates on the Splunk Community!

.conf25 Global Broadcast: Don’t Miss a Moment

Hello Splunkers, .conf25 is only a click away.  Not able to make it to .conf25 in person? No worries, you can ...

Observe and Secure All Apps with Splunk

 Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

What's New in Splunk Observability - August 2025

What's New We are excited to announce the latest enhancements to Splunk Observability Cloud as well as what is ...