Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Transaction very slow, use stats?

aq_natixis
Engager
‎10-01-2015 05:42 AM

Hello,

I have the following logs (1 line = 1 event):

id=**10** from="**10.10.10.44**"
id=10 ### whatever useless log ###
id=**10** bind uid="**toto**"
id=10 ### whatever useless log ###
id=**20** from="**10.10.10.55**"
id=20 ### whatever useless log ###
id=**20** bind uid="**tata**"
id=10 ### whatever useless log ###
id=20 ### whatever useless log ###
id=**30** from="**10.10.10.44**"
id=30 ### whatever useless log ###
id=**30** bind uid="**titi**"
id=30 ### whatever useless log ###
id=**30** bind uid="**toto**"
id=30 ### whatever useless log ###
id=20 ### whatever useless log ###

This is the table result I want :

uid from    count
toto    10.10.10.44 2
tata    10.10.10.55 1
titi    10.10.10.44 1

This is the search I use to get my result:

(...) "bind uid" OR "from"| transaction id startswith="from" | mvexpand uid | stats count by uid,from

I have exactly the result I want, but the search is VERY slow to perform. A lot of time is used to do the transaction.

So how I can improve my search, or how I can use stats instead of transaction?

Regards,

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

aljohnson_splun
Splunk Employee
Splunk Employee
‎10-02-2015 07:45 AM

Its not just stats, but stats on stats on stats! At least this is how I would do it.

If this part of your search

 "bind uid" OR "from"

gets you the events you want so that they're ordered like this:

 id=**10** from="**10.10.10.44**"
 id=**10** bind uid="**toto**"
 id=**20** from="**10.10.10.55**"
 id=**20** bind uid="**tata**"

You should just be able use the id field to group them.

... | stats list(from) as from, values(uid) as uid by id
| stats count by uid from id
| stats sum(count) as count by uuid, from

Your question was also a broad one - how can I improve this search?

Check out this awesome talk given at .conf2015 by Duncan Turnbull & Julian Harty. Here are a few takeaways:

  • use appropriate time range : speed up 30x - 365x
  • add index=foo sourcetype=bar and other metafields : speed up 2x - 10x
  • use the appropriate search mode (fast 😉 : speed up 2x - 5x
  • avoid not & other exclusionary searches (e.g. !=) : speedup 2x - 20x
  • use the fields command early in your search to ONLY get the fields you need
  • avoid subsearches

View solution in original post

Reply
Solved! Jump to solution
Solution

aljohnson_splun
Splunk Employee
Splunk Employee
‎10-02-2015 07:45 AM

Its not just stats, but stats on stats on stats! At least this is how I would do it.

If this part of your search

 "bind uid" OR "from"

gets you the events you want so that they're ordered like this:

 id=**10** from="**10.10.10.44**"
 id=**10** bind uid="**toto**"
 id=**20** from="**10.10.10.55**"
 id=**20** bind uid="**tata**"

You should just be able use the id field to group them.

... | stats list(from) as from, values(uid) as uid by id
| stats count by uid from id
| stats sum(count) as count by uuid, from

Your question was also a broad one - how can I improve this search?

Check out this awesome talk given at .conf2015 by Duncan Turnbull & Julian Harty. Here are a few takeaways:

  • use appropriate time range : speed up 30x - 365x
  • add index=foo sourcetype=bar and other metafields : speed up 2x - 10x
  • use the appropriate search mode (fast 😉 : speed up 2x - 5x
  • avoid not & other exclusionary searches (e.g. !=) : speedup 2x - 20x
  • use the fields command early in your search to ONLY get the fields you need
  • avoid subsearches
Reply
Solved! Jump to solution

aq_natixis
Engager
‎10-05-2015 05:12 AM

Hello aljohnson,

Thanks for your answer.

I don't know why but the stats commands you gave me don't work... The search part is fast (like few sec), but the "finalize" part takes a looonnnggg time (like 15-30 minutes) for "No results found".

By the way I read the talk you gave and I divide the time by 5 !! So really thanks for that.
But I'm really curious about using stats instead of transaction. I think the mvexpand really slow the process...

EDIT:
I think you meant:
| stats list(from) as from, values(uid) as uuid by id

That's why I didn't got any result. But anyway the mvexpand is very long (45 sec without, an hour with)

0 Karma
Reply
Solved! Jump to solution

aljohnson_splun
Splunk Employee
Splunk Employee
‎10-05-2015 04:15 PM

Hi @aq_natixis

1.) Yes, you caught my typo, oops

2.) Is mvexpand the slow portion? It very well may be. Try taking them out ! I think it should still work. I will remove them from my answer. and correct the other typo.

3.) Check the job inspector. This will tell you what is slow.

4.) Great talk - I'm glad it helped !!

5.) If this fixed your issue, please accept the answer.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

How to find the worst searches in your Splunk environment and how to fix them

Everyone knows Splunk is a powerful platform for running searches and doing data analytics. Your ...

Share Your Feedback: On Admin Config Service (ACS)!

Help Us Build a Better Admin Config Service Experience (ACS)   We Want Your Feedback on Admin Config Service ...

Build the Future of Agentic AI: Join the Splunk Agentic Ops Hackathon

AI is changing how teams investigate incidents, detect threats, automate workflows, and build intelligent ...