Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Performant way to use "dedup" with group by

duesser
Path Finder
‎11-02-2023 03:06 AM

I basically have the opposite question as can be seen here:

https://community.splunk.com/t5/Splunk-Search/How-to-use-the-head-command-with-group-by/m-p/444439

I am looking for an increase in performance while keeping the search generic. As a minimal example I created this:

 

 

| makeresults 
| eval data=split("1;1,1;2,2;1,2;2",",")
| mvexpand data
| eval data=split(data,";")
| eval a=mvindex(data,0), b=mvindex(data,1)
| table a b
| dedup a

 

 

I know that I can tremendously speed up the search if I use a template like so, using "| head 1" on each group of a:

 

 

| makeresults 
| append 
    [| makeresults 
    | eval data=split("1;1,1;2,2;1,2;2",",") 
    | mvexpand data 
    | eval data=split(data,";") 
    | eval a=mvindex(data,0), b=mvindex(data,1) 
    | table a b 
    | search a=1 
    | head 1
        ] 
| append 
    [| makeresults 
    | eval data=split("1;1,1;2,2;1,2;2",",") 
    | mvexpand data 
    | eval data=split(data,";") 
    | eval a=mvindex(data,0), b=mvindex(data,1) 
    | table a b 
    | search a=2 
    | head 1
        ] 
| search a=* 
| table a b

 

 

However, this way the search is no longer generic and I have to know what groups "a" can take (1,2 in this example)

Question: Is there a way to increase performance on dedup while also keeping the search generic?

Labels (1)
Labels
0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎11-02-2023 03:20 AM

Do you mean something like this?

| stats first(*) as * by a
Reply

duesser
Path Finder
‎11-02-2023 03:25 AM

Yes - this works the same! BUT it yields the exact performance as "| dedup" for my real data example while the  "| head 1" approach is roughly 15x faster.

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎11-02-2023 03:35 AM

I am not too surprised by that, head can discard events quicker than stats. You could try removing the table command from the appended searches and just have it at the end to see if that speeds things up.

0 Karma
Reply

duesser
Path Finder
‎11-02-2023 04:15 AM

It is like this my main search. I figured it would be - however, I thought there might be a trick to dynamically leverage the distinct values of "a" and then vectorize the head command or so. Thank you anyhow!

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Community Content Calendar, September edition

Welcome to another insightful post from our Community Content Calendar! We're thrilled to continue bringing ...

Splunkbase Unveils New App Listing Management Public Preview

Splunkbase Unveils New App Listing Management Public PreviewWe're thrilled to announce the public preview of ...

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Are you leveraging automation to its fullest potential in your threat detection strategy?Our upcoming Security ...