Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Splunk Search Optimization

ganeshkumarmoha
Explorer
‎09-09-2024 06:22 AM

Hi Team,
As per business requirement, need to get below details from same autosys batch and corresponding outputs to be displayed on the single row in a table:
1. Last execution time 
2. Execution time of specific search keyword i.e., Completed invokexPressionJob and obtained queue id ::
3. Number of times "ERROR" keyword present

index="<indexid>" Appid="<appid>" host IN (<host01>) source="<log_path01>"    
| stats latest(_time) as  latest_time 
| convert ctime(latest_time)  
| append [search index="<indexid>" Appid="<appid>" host IN (<host01>) source="<log_path01>" 
| search "Completed invokexPressionJob and obtained queue id ::"    
| stats latest(_time) as last_success_time 
| convert ctime(last_success_time)]   
| append [search index="<indexid>" Appid="<appid>" host IN (<host01>) source="<log_path01>" 
| rex field=_raw "\s(?P<level>[^\/]+)\s\[main\]"  
| stats count(level) by level 
| WHERE level IN ("ERROR")] | append [| makeresults | eval job_name="Print Job"] 
| table  latest_time last_success_time count(level) job_name
| stats list(*) as *


Above query works fine. From query performance prospective, am I achieving the output right way? Is there any other better to achieve it? Because, similar set to query I need to apply to 10 other batch jobs inside the Splunk dashboard. Kindly suggest!!

Labels (4)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

bowesmana
SplunkTrust
SplunkTrust
‎09-09-2024 03:05 PM

Using append is almost never the right solution - you are performing the same search three times and just collecting bits of info each time - this can be done in one search

 

index="<indexid>" Appid="<appid>" host IN (<host01>) source="<log_path01>" 
| eval success_time=if(searchmatch("Completed invokexPressionJob and obtained queue id ::"), _time, null())
| rex field=_raw "\s(?P<level>[^\/]+)\s\[main\]" 

| stats latest(_time) as latest_time latest(success_time) as success_time sum(eval(if(level="ERROR",1, 0))) as errors
| convert ctime(latest_time) 
| convert ctime(success_time)

 

success_time is determined if the event matches the criteria wanted and errors are calculated if the level is ERROR.

Not sure what you're trying to do with the final append with Print Job on a new row.

View solution in original post

Reply
Solved! Jump to solution
Solution

bowesmana
SplunkTrust
SplunkTrust
‎09-09-2024 03:05 PM

Using append is almost never the right solution - you are performing the same search three times and just collecting bits of info each time - this can be done in one search

 

index="<indexid>" Appid="<appid>" host IN (<host01>) source="<log_path01>" 
| eval success_time=if(searchmatch("Completed invokexPressionJob and obtained queue id ::"), _time, null())
| rex field=_raw "\s(?P<level>[^\/]+)\s\[main\]" 

| stats latest(_time) as latest_time latest(success_time) as success_time sum(eval(if(level="ERROR",1, 0))) as errors
| convert ctime(latest_time) 
| convert ctime(success_time)

 

success_time is determined if the event matches the criteria wanted and errors are calculated if the level is ERROR.

Not sure what you're trying to do with the final append with Print Job on a new row.

Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas     Cisco Live 2026 is almost here, and this ...

Data Management Digest – May 2026

Welcome to the May 2026 edition of Data Management Digest!   As your trusted partner in data innovation, the ...