Solved: What command can I use to speed up my search besid...

same · ‎03-08-2023

I am trying to extract only the top values from fields such as argument, uri, and method for the WAF log.
Currently, it is configured using a join statement, but the search speed is very slow,
so I am looking for another method.
Please give me a hint on the searchstatement that can retrieve the top values in each field at once.

gcusello · ‎03-08-2023

Hi @same ,

as @bowesmana said, use stats to join the two searches.

join is a very slow command that is used mainly by people that come from databases, but Splunk isn't a database, it's a search engine, so the logic is completely different.

You have to create a stats command correlating the data from the two Data Sources using the "BY correlation_key" clause and visualizing the fields you need using the options for stats.

Ciao.

Giuseppe

View solution in original post

gcusello · ‎03-08-2023

Hi @same ,

as @bowesmana said, use stats to join the two searches.

join is a very slow command that is used mainly by people that come from databases, but Splunk isn't a database, it's a search engine, so the logic is completely different.

You have to create a stats command correlating the data from the two Data Sources using the "BY correlation_key" clause and visualizing the fields you need using the options for stats.

Ciao.

Giuseppe

same · ‎03-13-2023

Thanks for the hint to solve the problem

bowesmana · ‎03-08-2023

Use stats instead of join or top, e.g.

| top argument uri method

Please provide an example of what you've got so far, so we can help optimise

What command can I use to speed up my search besides join command?

join

Preparing your Splunk Environment for OpenSSL3

Incident Response: Reduce Incident Recurrence with Automated Ticket Creation

Splunk Classroom Chronicles: Training Tales and Testimonials (Episode 2)