Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Why is the search with NOT take less time compared to search using IN?

Wonder_women
Loves-to-Learn
‎09-05-2022 03:08 AM

Hello Everyone, I have two queries  to exclude events one using NOT and other one using IN, both the queries returning same results but the query using NOT command takes less time.

My question is it should be other way around, why NOT is take less time to execute.    

 

Wonder_women_1-1662372107763.png

Time taken by Splunk using IN query

Wonder_women_2-1662372203944.png

Time taken by Splunk using NOT query

 

 

index = "some_index" sourcetype="some_sourec_type" app_code=XXXX a_status IN (0,1,40) AND b_status IN (2,1,10,20)

index = "some_index" sourcetype="some_sourec_type" app_code=XXXX NOT a_status IN (0, -1, -2, -5) NOT b_status IN (-1, -6, -5, null)


Labels (1)
Labels
0 Karma
Reply

Wonder_women
Loves-to-Learn
‎09-05-2022 03:28 AM

Hi @gcusello, 0 is in both the condition.

I executed the query yesterday and then today, it shows the same behavior.  

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎09-05-2022 03:32 AM

Hi @Wonder_women,

zero in both conditions, means that the two searches have different results,

probably the zero condition matches many events and so the NOT conditions excludes more events, so in the result you have much less events so the results visualization is faster.

Try to use zero only in one of the searches.

Ciao.

Giuseppe

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎09-05-2022 03:17 AM

Hi @Wonder_women,

in general a NOT condition is always slower than an IN condition, so it's very strange your behavior.

Only two questions:

  • the condition a_status=0 is in both the searches, it's a copy/past error, or it's present in bothe the searches?
  • di you tried to execute the two searches in different times? in other words does the condition search_IN slower happen all the time or it's temporary?

Ciao.

Giuseppe

0 Karma
Reply
Get Updates on the Splunk Community!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer at Splunk .conf24 ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Splunk Lantern is Splunk’s customer success center that provides advice from Splunk experts on valuable data ...