OK. Regardless of join or not, your search is pretty bad performance-wise due to how it's initial part in the first place. You're doing <initial_search> | spath [...] | where <some_condition> Un...
See more...
OK. Regardless of join or not, your search is pretty bad performance-wise due to how it's initial part in the first place. You're doing <initial_search> | spath [...] | where <some_condition> Unfortunately, it's gonna have to read and parse every single event from the given time range which is not what you want. What is a bit tricky when approaching Splunk for the first time is that due to the fact that you're dealing with so called "schema on read" approach, Splunk - first and foremost - indexes values. So if you have a search saying field=value Splunk first searches for all events containing the value and only those events are then checked if they do contain that value in places corresponding with the definition of field. The more conditions you have in your initial search, the more events Splunk can discard from the initial result set (due to them containing, for example, just one of two sought for terms) so that ideally the "hit ratio" is quite high and Splunk doesn't have to work too much at parsing those intermediate search results. Your search on the other hand invokes the spath command on every single event that falls within the time range and only then it checks the results for some condition using the where command. If your events were well-formed json events, you could have the sourcetype defined with KV_MODE=json and use field=value matching based on json fields. But even if you don't have the fields parsed automatically at the point of your initial search, you can greatly improve your search performance by adding the conditions as a "full-text search". So your index="my_index"
| spath input=Properties
| where RenderedMessage="Created a new transaction"
AND 'Properties.OrderReference'="289e272f-2677-409b-9576-f28b2763c658"
AND 'Properties.EnvironmentName'="Development" can be rewritten (yes, it looks a bit ugly but should be a lot faster) as index="my_index" "Created a new transaction" "289e272f-2677-409b-9576-f28b2763c658" "Development" | spath input=Properties | where RenderedMessage="Created a new transaction" AND 'Properties.OrderReference'="289e272f-2677-409b-9576-f28b2763c658" AND 'Properties.EnvironmentName'="Development"