Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

count number of serialnumber with dc takes lots of time

sarit_s
Communicator
‎05-06-2019 07:03 AM

hello
i have this query :
index = amer_pj
| SerialNumber
| Region
| stats dc(SerialNumber) as SerialNumber by Region
| table SerialNumber

which supposed to count the number of uniqe SerialNumbers
for last 30 days it take more than an hour to complete the query
what am i doing wrong ? is there a better way to do it ?
is there a way to save the result of the last run ?
(it is a dashboard, not a report)

thanks

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎05-06-2019 10:55 AM

When you say source, you means "source" (generally file name) metadata field? If yes, then try this version: Should be way faster

| tstats count WHERE index = amer_pj  by source
| `SerialNumber`
| `Region`
| stats dc(SerialNumber) as SerialNumber by Region
| table SerialNumber

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎05-06-2019 10:55 AM

When you say source, you means "source" (generally file name) metadata field? If yes, then try this version: Should be way faster

| tstats count WHERE index = amer_pj  by source
| `SerialNumber`
| `Region`
| stats dc(SerialNumber) as SerialNumber by Region
| table SerialNumber
0 Karma
Reply
Solved! Jump to solution

sarit_s
Communicator
‎05-06-2019 11:15 AM

perfect !!!
please edit your answer so i will be able to accept it

0 Karma
Reply
Solved! Jump to solution

MuS
SplunkTrust
SplunkTrust
‎05-06-2019 11:53 PM

Please accept this answer if it solved your problem.

cheers, MuS

0 Karma
Reply
Solved! Jump to solution

Vijeta
Influencer
‎05-06-2019 09:37 AM

May be doing extraction at index time will help.
Also scheduled summary indexing is a good option for your case.

0 Karma
Reply
Solved! Jump to solution

sarit_s
Communicator
‎05-06-2019 09:39 AM

the rex is not the problem since im using it in lots of other queries

how can i use summary ?

0 Karma
Reply
Solved! Jump to solution

Vijeta
Influencer
‎05-06-2019 11:16 AM

@sarit_s Write your search and save it as a report .At the end of your search collect the output data in a summary index (say test_summary) using collect command and schedule it to run as per your need may be once a day based on last 30 days date time range. The _time in summary index can be changed as per your need else it will take time at which scheduled search ran.
| collect index=test_summary

Once data is collected in test_summary , you can simply query on index=test_summary in your dashboard or report.

0 Karma
Reply
Solved! Jump to solution

sarit_s
Communicator
‎05-06-2019 10:47 PM

thanks !

0 Karma
Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎05-06-2019 07:52 AM

What do those two macros do??

0 Karma
Reply
Solved! Jump to solution

sarit_s
Communicator
‎05-06-2019 09:33 AM

extract SerialNumber and Region from source

0 Karma
Reply
Solved! Jump to solution

Vijeta
Influencer
‎05-06-2019 07:15 AM

How many events you have in 30 day time frame.You can summarize your data in a summary index over last 30 days and use the summary index in your report.

Also try this query

index=amer_pj| fields SerialNumber , Region | stats dc(SerialNumber) as SerialNumber by Region
0 Karma
Reply
Solved! Jump to solution

sarit_s
Communicator
‎05-06-2019 09:35 AM

its still very slow..

i have millions of events in 30 days
how can i use summary ?

0 Karma
Reply
Get Updates on the Splunk Community!

Index This | When is October more than just the tenth month?

October 2025 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

What’s New & Next in Splunk SOAR

 Security teams today are dealing with more alerts, more tools, and more pressure than ever.  Join us for an ...