Solved: What command can I use to speed up my search besid...

same · ‎03-08-2023

I am trying to extract only the top values from fields such as argument, uri, and method for the WAF log.
Currently, it is configured using a join statement, but the search speed is very slow,
so I am looking for another method.
Please give me a hint on the searchstatement that can retrieve the top values in each field at once.

gcusello · ‎03-08-2023

Hi @same ,

as @bowesmana said, use stats to join the two searches.

join is a very slow command that is used mainly by people that come from databases, but Splunk isn't a database, it's a search engine, so the logic is completely different.

You have to create a stats command correlating the data from the two Data Sources using the "BY correlation_key" clause and visualizing the fields you need using the options for stats.

Ciao.

Giuseppe

View solution in original post

gcusello · ‎03-08-2023

Hi @same ,

as @bowesmana said, use stats to join the two searches.

join is a very slow command that is used mainly by people that come from databases, but Splunk isn't a database, it's a search engine, so the logic is completely different.

You have to create a stats command correlating the data from the two Data Sources using the "BY correlation_key" clause and visualizing the fields you need using the options for stats.

Ciao.

Giuseppe

same · ‎03-13-2023

Thanks for the hint to solve the problem

bowesmana · ‎03-08-2023

Use stats instead of join or top, e.g.

| top argument uri method

Please provide an example of what you've got so far, so we can help optimise

What command can I use to speed up my search besides join command?

join

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!