Splunk Search

What command can I use to speed up my search besides join command?

same
Engager

I am trying to extract only the top values ​​from fields such as argument, uri, and method for the WAF log.
Currently, it is configured using a join statement, but the search speed is very slow,
so I am looking for another method.
Please give me a hint on the searchstatement that can retrieve the top values ​​in each field at once.

Labels (1)
0 Karma
1 Solution

gcusello
SplunkTrust
SplunkTrust

Hi @same ,

as @bowesmana said, use stats to join the two searches.

join is a very slow command that is used mainly by people that come from databases, but Splunk isn't a database, it's a search engine, so the logic is completely different.

You have to create a stats command correlating the data from the two Data Sources using the "BY correlation_key" clause and visualizing the fields you need using the options for stats.

Ciao.

Giuseppe

View solution in original post

Tags (1)

gcusello
SplunkTrust
SplunkTrust

Hi @same ,

as @bowesmana said, use stats to join the two searches.

join is a very slow command that is used mainly by people that come from databases, but Splunk isn't a database, it's a search engine, so the logic is completely different.

You have to create a stats command correlating the data from the two Data Sources using the "BY correlation_key" clause and visualizing the fields you need using the options for stats.

Ciao.

Giuseppe

Tags (1)

same
Engager

Thanks for the hint to solve the problem

Tags (1)
0 Karma

bowesmana
SplunkTrust
SplunkTrust

Use stats instead of join or top, e.g.

| top argument uri method

Please provide an example of what you've got so far, so we can help optimise

Get Updates on the Splunk Community!

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...

Get the T-shirt to Prove You Survived Splunk University Bootcamp

As if Splunk University, in Las Vegas, in-person, with three days of bootcamps and labs weren’t enough, now ...

Wondering How to Build Resiliency in the Cloud?

IT leaders are choosing Splunk Cloud as an ideal cloud transformation platform to drive business resilience,  ...