Splunk Search

What is the most efficient way of comparing two indexes.

michaelrosello
Path Finder

I'm comparing in event1 from indexA is existing in indexB.
Currently I am using join in comparing this two indexes but it is slow when a lot of data exist.

Is there a more faster and efficient way in achieving this result?

index=indexA 
        | eval indexA_message_id = Message_ID
        | join type=outer Message_ID
    [ search index=indexB
    | eval indexB_message_id = Message_ID 
    | fields Message_ID mdh_message_id]
| where NOT indexA_message_id=indexB_message_id
| table Transaction_Type indexA_message_id
Tags (2)
0 Karma

MuS
Legend

Hi michaelrosello,

try this:

index=indexA OR index=indexB 
| stats count dc(index) AS dc_idx values(*) AS * by Message_ID 
| where dc_idx = 1 
| table Transaction_Type Message_ID

The where clause is your filter to get events that are either only in one of the indexes (1) or in both (2).

Hope this helps ...

cheers, MuS

Get Updates on the Splunk Community!

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...

Weezer at .conf25? Say it ain’t so!

Hello Splunkers, The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...

How SC4S Makes Suricata Logs Ingestion Simple

Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...