Solved: What is this Where clause by time doing?

wrussell12 · ‎08-09-2019

Is this requesting all the records, from 3 minutes ago?

index="my_index" source="bandstats" recordType="core" 
    | dedup coreName 
    | where _time < (now() - 180)

_time = 1565372570 (minus 3600)
now = 1565376170 (current time)
3mins ago = 1565375990
1565372570 < 1565375990

So, this search is looking for records that are older than 3 minutes ago?

This where clause seems to be making the entire search slow, what would be a better alternative?

richgalloway · ‎08-09-2019

Yes, the where clause is looking for events that are at least 3 minutes old. This is unnecessary. Use index="my_index" source="bandstats" recordType="core" latest=-3m | dedup coreName.

You can confirm what is making the search slow with the Job Inspector.

---
If this reply helps you, Karma would be appreciated.

View solution in original post

richgalloway · ‎08-09-2019

Yes, the where clause is looking for events that are at least 3 minutes old. This is unnecessary. Use index="my_index" source="bandstats" recordType="core" latest=-3m | dedup coreName.

You can confirm what is making the search slow with the Job Inspector.

---
If this reply helps you, Karma would be appreciated.

wrussell12 · ‎08-09-2019

How could I use this what a datamodel, and tstats?

Optimized:

 index="my_index" source="bandstats" recordType="core" latest=-3m
     | dedup coreName

.

 | tstats latest(band.coreName) as coreName from bandstats.band by coreId, _time
 | where _time < (now() - 180)

richgalloway · ‎08-09-2019

tstats does not support the latest option so you're stuck with where.

---
If this reply helps you, Karma would be appreciated.

What is this Where clause by time doing?

Splunk Observability Cloud | Customer Survey!

Happy CX Day, Splunk Community!

.conf23 | Get Your Cybersecurity Defense Analyst Certification in Vegas