Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Why is the search with NOT take less time compared to search using IN?

Wonder_women
Loves-to-Learn
‎09-05-2022 03:08 AM

Hello Everyone, I have two queries  to exclude events one using NOT and other one using IN, both the queries returning same results but the query using NOT command takes less time.

My question is it should be other way around, why NOT is take less time to execute.    

 

Wonder_women_1-1662372107763.png

Time taken by Splunk using IN query

Wonder_women_2-1662372203944.png

Time taken by Splunk using NOT query

 

 

index = "some_index" sourcetype="some_sourec_type" app_code=XXXX a_status IN (0,1,40) AND b_status IN (2,1,10,20)

index = "some_index" sourcetype="some_sourec_type" app_code=XXXX NOT a_status IN (0, -1, -2, -5) NOT b_status IN (-1, -6, -5, null)


Labels (1)
Labels
0 Karma
Reply

Wonder_women
Loves-to-Learn
‎09-05-2022 03:28 AM

Hi @gcusello, 0 is in both the condition.

I executed the query yesterday and then today, it shows the same behavior.  

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎09-05-2022 03:32 AM

Hi @Wonder_women,

zero in both conditions, means that the two searches have different results,

probably the zero condition matches many events and so the NOT conditions excludes more events, so in the result you have much less events so the results visualization is faster.

Try to use zero only in one of the searches.

Ciao.

Giuseppe

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎09-05-2022 03:17 AM

Hi @Wonder_women,

in general a NOT condition is always slower than an IN condition, so it's very strange your behavior.

Only two questions:

  • the condition a_status=0 is in both the searches, it's a copy/past error, or it's present in bothe the searches?
  • di you tried to execute the two searches in different times? in other words does the condition search_IN slower happen all the time or it's temporary?

Ciao.

Giuseppe

0 Karma
Reply
Get Updates on the Splunk Community!

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

  🚀 Your data just got a serious AI upgrade — are you ready? Say hello to the Agentic Era with the ...

Stronger Security with Federated Search for S3, GCP SQL & Australian Threat ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Accelerating Observability as Code with the Splunk AI Assistant

We’ve seen in previous posts what Observability as Code (OaC) is and how it’s now essential for managing ...