Solved: request optimization with best practices

jip31 · ‎10-11-2018

hello

I use the request below but i would like to have an example of doing this code more performant following splunk best practices
could you help me please?

 index="windows" sourcetype="wineventlog:Application" SourceName="*" 
Type="Critique" OR Type="Avertissement" OR Type="Erreur" 
| dedup host 
| stats count by host   

| join host [search index="windows-wmi" sourcetype="WMI:ModelPC" |rex "Model=(?<model>.*)"|stats values(model) as Model by host]
| stats count values(host) by Model | rename count as Total | table Model Total | sort -Total limit=10

koshyk · ‎10-11-2018

Please try like below ( I haven't tested it, but just the concept)

[index="windows" sourcetype="wineventlog:Application" SourceName="*"  (Type="Critique" OR Type="Avertissement" OR Type="Erreur" ) | stats count by host | fields host]   index="windows-wmi" sourcetype="WMI:ModelPC"  
|rex "Model=(?<model>.*)"|stats values(model) as Model by host

View solution in original post

koshyk · ‎10-11-2018

Please try like below ( I haven't tested it, but just the concept)

[index="windows" sourcetype="wineventlog:Application" SourceName="*"  (Type="Critique" OR Type="Avertissement" OR Type="Erreur" ) | stats count by host | fields host]   index="windows-wmi" sourcetype="WMI:ModelPC"  
|rex "Model=(?<model>.*)"|stats values(model) as Model by host

jip31 · ‎10-15-2018

thanks a lot

request optimization with best practices

Splunk Security Content for Threat Detection & Response, Q1 Roundup

Splunk Life | Happy Pride Month!

SplunkTrust | Where Are They Now - Michael Uschmann