Splunk SPL best practice

sivaranjiniG · ‎07-12-2020

Will a parentheses Surrounded SPL queries make any difference?

For Example:
(index IN (“indexA*”,”indexB*”) source=”sourceA”) and index IN (“indexA*”,”indexB*”) source=”sourceA”

this is a big query want to know if adding parentheses make any difference in performance wise ?

adityagupta3010 · ‎07-12-2020

Hi there,

To answer your question, the use of paranthesis doesn't affect the performance of your splunk query.

But on the other hand using a "=" instead of the "IN" function will help you; as IN is a function call and splunk processor will always first go to the function definition decode the function then resume the search query.

sivaranjiniG · ‎07-12-2020

Hi,
I am not sure how to use multiple indexes without using IN in the query..i dont want to use OR as it takes only one index.i want to use 2 indexes

Can you help?

richgalloway · ‎07-13-2020

The IN operator is translated into ORs before the query executes. So

index IN ("indexA*","indexB*")

becomes

index "indexA*" OR index= "indexB*"

---
If this reply helps you, Karma would be appreciated.

richgalloway · ‎07-12-2020

Yes, parentheses can make a difference, but in the example given they do not.
Examine the job inspector for each search to confirm.

---
If this reply helps you, Karma would be appreciated.

sivaranjiniG · ‎07-12-2020

I checked job Inspect there is difference in seconds..as i said its a big query it may impact performance

Thanks for suggesting me to check job inspect

Splunk SPL best practice

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

Monitoring Amazon Elastic Kubernetes Service (EKS)