Splunk Search

Stats Question passing one field common to two sourcetypes where location is in one sourcetype to use field in second sourcetype

Skins
Path Finder

Where am i going wrong here:

I'm trying to get a list of user ID's by location and pass them up to a search which also uses the userID field and then get the average UIdelay metric of those users which only appears in the UIDelay sourcetype?

Is this the most efficient way when the result set of the subsearch is around 1k ?

'index=test sourcetype=UIDelay UIDelayMs=*
[ search index=test sourcetype=Session Name="Roma"
| stats count by SessionGUID
| dedup SessionGUID
| fields SessionGUID]
| stats avg(UIDelayMs) '

gratzi

Edit I got it working but is it the most effiecient if its to be run every 5mins ? (over the last 5mins) ?

Tags (1)
0 Karma

HiroshiSatoh
Champion

I think this is fine, but either of the following is unnecessary.

| stats count by SessionGUID 
| dedup SessionGUID 

This is a unique value.
| stats count by SessionGUID

Get Updates on the Splunk Community!

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...

Weezer at .conf25? Say it ain’t so!

Hello Splunkers, The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...

How SC4S Makes Suricata Logs Ingestion Simple

Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...