Splunk Search

Splunk Search Syntax

NeonFlash
Explorer

Hi,

I want to know the difference between the following 2 searches:

sourcetype="source" search NOT field2=*keyword* | table field1, field2, field3

and

sourcetype="source" | table field1, field2, field3 | search NOT field2=*keyword*

I am not getting all the relevant results with the first search query.

What I am trying to do is: I want to reduce the number of results returned by the sourcetype and later process them by piping the output to a regex.

the second splunk query takes a longer time to execute because it will at first extract all the results from the sourcetype and then apply a filter on field2.

I want to reduce the number of results extracted from the sourcetype itself while running the query to reduce the execution time of query.

something like in SQL:

select * from table where column_name LIKE '%keyword%'

so, here I have reduced the results returned by SQL query itself which can later be processed by piping the output to another expression.

Tags (1)
0 Karma

jhallur_splunk
Splunk Employee
Splunk Employee

Your 1st query is searching for the events having the keyword 'search' (along with other conditions given the query). The events which doesn't have the 'search' keyword are dropped from your search result. Hence the different results you see.

The keyword 'search' should be after the '|' in your 1st query. Either remove the keyword 'search' from the query or add '|' symbol before 'search' keyword.

Please vote if you think this answer provided required clarification for you.

Regards
Jayanna Hallur

0 Karma

proletariat99
Communicator

Yes, but aside from the typo, it's still a valuable question. The difference between the two

sourcetype="source" NOT field2=*keyword* | table field1, field2, field3

sourcetype="source" | table field1, field2, field3 | search NOT field2=*keyword*

is that the first one is slightly faster. They both should return the same result, but the first one eliminates a key:value pair before putting it into a table (which takes cycles.) The second one builds the table, then removes stuff.

0 Karma

DisabledLeopard
Explorer

You've misused the term "search" in your first search.

As you have it:

sourcetype="source" search NOT field2=*keyword* | table field1, field2, field3

The term "search" is being used as a keyword in a search. Ie find events in sourcetype="source" containing "search" but not having field2="keyword"

What you want is simply:

sourcetype="source" NOT field2=*keyword* | table field1, field2, field3
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...