Solved: request optimization with best practices

jip31 · ‎10-11-2018

hello

I use the request below but i would like to have an example of doing this code more performant following splunk best practices
could you help me please?

 index="windows" sourcetype="wineventlog:Application" SourceName="*" 
Type="Critique" OR Type="Avertissement" OR Type="Erreur" 
| dedup host 
| stats count by host   

| join host [search index="windows-wmi" sourcetype="WMI:ModelPC" |rex "Model=(?<model>.*)"|stats values(model) as Model by host]
| stats count values(host) by Model | rename count as Total | table Model Total | sort -Total limit=10

koshyk · ‎10-11-2018

Please try like below ( I haven't tested it, but just the concept)

[index="windows" sourcetype="wineventlog:Application" SourceName="*"  (Type="Critique" OR Type="Avertissement" OR Type="Erreur" ) | stats count by host | fields host]   index="windows-wmi" sourcetype="WMI:ModelPC"  
|rex "Model=(?<model>.*)"|stats values(model) as Model by host

View solution in original post

koshyk · ‎10-11-2018

Please try like below ( I haven't tested it, but just the concept)

[index="windows" sourcetype="wineventlog:Application" SourceName="*"  (Type="Critique" OR Type="Avertissement" OR Type="Erreur" ) | stats count by host | fields host]   index="windows-wmi" sourcetype="WMI:ModelPC"  
|rex "Model=(?<model>.*)"|stats values(model) as Model by host

jip31 · ‎10-15-2018

thanks a lot

request optimization with best practices

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Deep Dive: Accelerate threat investigation with Splunk’s AI Assistant in Security

Announcing Modern Navigation: A New Era of Splunk User Experience

Detection Engineering Office Hours: Real-World Troubleshooting & Q&A

Join the Conversation