Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

best approach for sub search with total

adomila
Explorer
‎11-06-2013 02:31 AM

Hi, I've the ff search

main search for getting total ...
| join type=outer _time 
[ search main search for getting total ... | WHERE duration>0.01 ]



RESULT:






_timeexceeded totalpercentage
2013-06-18 00:00:00 2 113 1.769912
2013-06-18 00:05:00 1 120 0.833333
2013-06-18 00:10:00 3 101 2.970297



The only difference between the main search w/ the sub search is the "WHERE duration>0.01"


My script is working fine. I just not sure if the is the best approach or if this could still be optimized by not using sub search.



tia (tnx in advance)

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

martin_mueller
SplunkTrust
SplunkTrust
‎11-06-2013 07:45 AM

In short, try something like this:

sourcetype... | timechart span=5m count as total count(eval(duration>0.01)) as exceeded

Can't test, on the train home...

View solution in original post

Reply
Solved! Jump to solution

martin_mueller
SplunkTrust
SplunkTrust
‎11-06-2013 07:58 AM

Great. I have converted my comment to an answer so you can mark it as solved.

0 Karma
Reply
Solved! Jump to solution

adomila
Explorer
‎11-06-2013 07:49 AM

It works. Many thanks and be safe on your way home on a train.

0 Karma
Reply
Solved! Jump to solution
Solution

martin_mueller
SplunkTrust
SplunkTrust
‎11-06-2013 07:45 AM

In short, try something like this:

sourcetype... | timechart span=5m count as total count(eval(duration>0.01)) as exceeded

Can't test, on the train home...

Reply
Solved! Jump to solution

adomila
Explorer
‎11-06-2013 04:59 PM

Thanks Martin.

0 Karma
Reply
Solved! Jump to solution

adomila
Explorer
‎11-06-2013 07:30 AM

Allow me to provide specifics. Here is the exact script:

sourcetype=abc

| bucket _time span=5m

| stats count(ref_num) as total_trans by _time

| join type=outer _time

[ search

sourcetype=abc | WHERE duration>0.01

| bucket _time span=5m

| stats sum(ref_num) as exceeded_trans by _time

]

It is noticeable that the only difference between the main and sub search is the WHERE condition that computes the exceeded transactions. How can I achieve the same RESULT:(stated above) w/o using join or sub search?

0 Karma
Reply
Solved! Jump to solution

martin_mueller
SplunkTrust
SplunkTrust
‎11-06-2013 06:07 AM

That depends on what you're trying to achieve.

For example, if you describe the roads you're driving on to me and ask whether they are the fastest route... I won't be able to answer that without knowing your destination.

0 Karma
Reply
Solved! Jump to solution

adomila
Explorer
‎11-06-2013 06:04 AM

Hi Martin,
I'm trying to find out if what I have done is the best approach out there; can it be done without using join and sub search? tia.

0 Karma
Reply
Solved! Jump to solution

martin_mueller
SplunkTrust
SplunkTrust
‎11-06-2013 03:15 AM

What are you trying to achieve?

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI!Discover how Splunk’s agentic AI ...

🔐 Trust at Every Hop: How mTLS in Splunk Enterprise 10.0 Makes Security Simpler

From Idea to Implementation: Why Splunk Built mTLS into Splunk Enterprise 10.0  mTLS wasn’t just a checkbox ...