Solved: What is this Where clause by time doing?

wrussell12 · ‎08-09-2019

Is this requesting all the records, from 3 minutes ago?

index="my_index" source="bandstats" recordType="core" 
    | dedup coreName 
    | where _time < (now() - 180)

_time = 1565372570 (minus 3600)
now = 1565376170 (current time)
3mins ago = 1565375990
1565372570 < 1565375990

So, this search is looking for records that are older than 3 minutes ago?

This where clause seems to be making the entire search slow, what would be a better alternative?

richgalloway · ‎08-09-2019

Yes, the where clause is looking for events that are at least 3 minutes old. This is unnecessary. Use index="my_index" source="bandstats" recordType="core" latest=-3m | dedup coreName.

You can confirm what is making the search slow with the Job Inspector.

---
If this reply helps you, Karma would be appreciated.

View solution in original post

richgalloway · ‎08-09-2019

Yes, the where clause is looking for events that are at least 3 minutes old. This is unnecessary. Use index="my_index" source="bandstats" recordType="core" latest=-3m | dedup coreName.

You can confirm what is making the search slow with the Job Inspector.

---
If this reply helps you, Karma would be appreciated.

wrussell12 · ‎08-09-2019

How could I use this what a datamodel, and tstats?

Optimized:

 index="my_index" source="bandstats" recordType="core" latest=-3m
     | dedup coreName

.

 | tstats latest(band.coreName) as coreName from bandstats.band by coreId, _time
 | where _time < (now() - 180)

richgalloway · ‎08-09-2019

tstats does not support the latest option so you're stuck with where.

---
If this reply helps you, Karma would be appreciated.

What is this Where clause by time doing?

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms