Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Query Performace

dglass0215
Path Finder
‎04-27-2021 11:02 AM

Hello, 

 

I am building a query to be able to display a line graph of status (offline, online) over a period of 30days.  Query currently is so slow it usually doesn't finish.  looking for assistance to see if I can do something different to speed it up.  thanks!

 

Current query:

index=mydata sourcetype="mySourceType" (_raw=*offline* OR _raw=*online*) 
| eval status=if(like(_raw, "%offline%"),"Offline","Online")
| timechart span=1d count by status

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

manjunathmeti
Champion
‎04-27-2021 11:38 AM

hi @dglass0215,
You don't need to use wildcard (*) in the base search. Try the below query without the timechart first and check the performance. Then add timechart and check the performance.

index=mydata sourcetype="mySourceType" offline OR online 
| rex "(?<status>offline)" 
| eval status=if(status="offline","Offline","Online")

 

View solution in original post

0 Karma
Reply
Solved! Jump to solution

bowesmana
SplunkTrust
SplunkTrust
‎04-27-2021 09:47 PM

Create a field extraction where you extract the current status from raw for that sourcetype, so when you search for it, you can search for all records with status, e.g.

index=mydata sourcetype="mySourceType" status=*
| timechart span=1d count by status

otherwise the leading wildcard combined with _raw= is going to have to search all the data for that sourcetype for your time period. Any row that does not have an extracted status field will not be found.

 

 

0 Karma
Reply
Solved! Jump to solution

dglass0215
Path Finder
‎04-28-2021 06:22 AM

Not sure how to do that when the data is unstructured.

0 Karma
Reply
Solved! Jump to solution

bowesmana
SplunkTrust
SplunkTrust
‎04-28-2021 03:23 PM

Take a look at the field extractor in the UI - you can get there from a raw event, via the Event Actions drop down. Splunk is great at unstructured data and it's really good to take a look at how you do field extractions, as it will help you a lot.

bowesmana_0-1619648505124.png

You can extract fields based on regular expressions or delimiters, if you don't know much about regex, then https://regex101.com is a good place to look to play with regex.

 

0 Karma
Reply
Solved! Jump to solution
Solution

manjunathmeti
Champion
‎04-27-2021 11:38 AM

hi @dglass0215,
You don't need to use wildcard (*) in the base search. Try the below query without the timechart first and check the performance. Then add timechart and check the performance.

index=mydata sourcetype="mySourceType" offline OR online 
| rex "(?<status>offline)" 
| eval status=if(status="offline","Offline","Online")

 

0 Karma
Reply
Solved! Jump to solution

dglass0215
Path Finder
‎04-28-2021 06:23 AM

Thank you.  This definitely helped to speed it up.

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...