Solved: Splunk Search Optimization

ganeshkumarmoha · ‎09-09-2024

Hi Team,
As per business requirement, need to get below details from same autosys batch and corresponding outputs to be displayed on the single row in a table:
1. Last execution time
2. Execution time of specific search keyword i.e., Completed invokexPressionJob and obtained queue id ::
3. Number of times "ERROR" keyword present

index="<indexid>" Appid="<appid>" host IN (<host01>) source="<log_path01>"    
| stats latest(_time) as  latest_time 
| convert ctime(latest_time)  
| append [search index="<indexid>" Appid="<appid>" host IN (<host01>) source="<log_path01>" 
| search "Completed invokexPressionJob and obtained queue id ::"    
| stats latest(_time) as last_success_time 
| convert ctime(last_success_time)]   
| append [search index="<indexid>" Appid="<appid>" host IN (<host01>) source="<log_path01>" 
| rex field=_raw "\s(?P<level>[^\/]+)\s\[main\]"  
| stats count(level) by level 
| WHERE level IN ("ERROR")] | append [| makeresults | eval job_name="Print Job"] 
| table  latest_time last_success_time count(level) job_name
| stats list(*) as *

Above query works fine. From query performance prospective, am I achieving the output right way? Is there any other better to achieve it? Because, similar set to query I need to apply to 10 other batch jobs inside the Splunk dashboard. Kindly suggest!!

bowesmana · ‎09-09-2024

Using append is almost never the right solution - you are performing the same search three times and just collecting bits of info each time - this can be done in one search

index="<indexid>" Appid="<appid>" host IN (<host01>) source="<log_path01>" 
| eval success_time=if(searchmatch("Completed invokexPressionJob and obtained queue id ::"), _time, null())
| rex field=_raw "\s(?P<level>[^\/]+)\s\[main\]" 

| stats latest(_time) as latest_time latest(success_time) as success_time sum(eval(if(level="ERROR",1, 0))) as errors
| convert ctime(latest_time) 
| convert ctime(success_time)

success_time is determined if the event matches the criteria wanted and errors are calculated if the level is ERROR.

Not sure what you're trying to do with the final append with Print Job on a new row.

View solution in original post

bowesmana · ‎09-09-2024

Using append is almost never the right solution - you are performing the same search three times and just collecting bits of info each time - this can be done in one search

index="<indexid>" Appid="<appid>" host IN (<host01>) source="<log_path01>" 
| eval success_time=if(searchmatch("Completed invokexPressionJob and obtained queue id ::"), _time, null())
| rex field=_raw "\s(?P<level>[^\/]+)\s\[main\]" 

| stats latest(_time) as latest_time latest(success_time) as success_time sum(eval(if(level="ERROR",1, 0))) as errors
| convert ctime(latest_time) 
| convert ctime(success_time)

success_time is determined if the event matches the criteria wanted and errors are calculated if the level is ERROR.

Not sure what you're trying to do with the final append with Print Job on a new row.

Splunk Search Optimization

eval

regex

stats

subsearch

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Monitoring AI Agents with Splunk Observability Cloud

[Puzzles] Solve, Learn, Repeat: Tiling

SOK it to Me: Top 3 Benefits of Using Splunk Operator on Kubernetes that’ll Make ...

Join the Conversation