Multiple joins cause slowness in splunk dashboard?Is any other way to make faster? how can we club those joins ? index="xxx" applicationName="api" environment=$env$ timestamp correlationId trac...
See more...
Multiple joins cause slowness in splunk dashboard?Is any other way to make faster? how can we club those joins ? index="xxx" applicationName="api" environment=$env$ timestamp correlationId trace message ("Ondemand Started*" OR "Expense Process started") |rename sourceFileName as SourceFileName content.JobName as JobName
| eval "FileName/JobName"= coalesce(SourceFileName,JobName)
| rename timestamp as Timestamp correlationId as CorrelationId tracePoint as Tracepoint message as Message
| eval JobType=case(like('Message',"%Ondemand Started%"),"OnDemand",like('Message',"Expense Process started%"),"Scheduled", true() , "Unknown")
| eval Message=trim(Message,"\"")
| table Timestamp CorrelationId Tracepoint JobType "FileName/JobName" Message
| join CorrelationId type=left
[ search index="xxx" applicationName="api" trace=ERROR
| rename correlationId as CorrelationId traceas TracePoint message as StatusMessage
| dedup CorrelationId
| table CorrelationId TracePoint StatusMessage]
| table Timestamp CorrelationId TracePoint JobType "FileName/JobName" StatusMessage
| join CorrelationId type=left
[ search index="xxx" applicationName="api" message="*Before Calling flow archive-Concur*"
| rename correlationId as CorrelationId content.loggerPayload.archiveFileName as ArchivedFileName
| table CorrelationId ArchivedFileName]
| table Timestamp CorrelationId Tracepoint JobType "FileName/JobName" ArchivedFileName StatusMessage