cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
rakeshreddy123
Engager
Member since: ‎03-17-2016
‎02-29-2024
Community Statistics
Posts 2
Solutions 0
Karma Given 1
Karma Received 0
Member Since ‎03-17-2016
View All

Re: Hourly stats of all columns with multiple join...

by SplunkTrust in Dashboards & Visualizations
‎02-29-2024 08:19 AM
2 Karma
‎02-29-2024 08:19 AM
2 Karma
I've taken a few stares at that search, and I honestly think you are trying to do way too much in one search. There are several giveaways.  a) There's different binning/bucketing for one of them - though I think the entire thing could be binned to 1s intervals to no actual detriment, b) results are joined together using 'join' which is rarely the right command to use because Splunk Is Not A Relational DB, and c) but you sort of *have* to use join simply because of how convoluted it would be to pile all these results into one table. But it's not necessarily the worst solution if (and only if!) there's only a single or only a few uri/fi's to actually do this for.  E.g. if it's a 1-1 mapping for a few dozen items, ... well, this is still inefficient but it's not going to be the end of the world.  A slight improvement would be to use append to get all the outputs into one table, then a final "| stats ... by fi" (or uri?)  to get the three sets of results back into a single row per fi/uri. Next best might be to rework the entire thing into one much bigger pile o' data, with a more complex stats that does all this work at once.  You'd likely have to do some conditional counting inside the stats, but though it may look a little odd, it's actually still going to be about a hundred times more efficient than your existing search, especially as it scales up to lots of uri/fi's.  https://docs.splunk.com/Documentation/Splunk/latest/Search/Usestatswithevalexpressionsandfunctions But I think best would be three simple searches with their results placed on a dashboard.  You'll have simpler searches that are much faster, far more easily edited/adjusted as things change, and likely way more robust as well. You'll also have a LOT more ways you could display the results. So a few other suggestions - I'll bet you are a DBA, are you not?  This looks similar to what someone familiar with any common RDBMS dropped into Splunk-land would do.  That's not a complaint or any slight, it's where lots of folks start.   In that case, you might want to start here: https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/SQLtoSplunk But even in the docs, Splunk still suggests join in Splunk to handle the left join from SQL and that I think is a disservice.  See Nick Mealy's talk  https://conf.splunk.com/watch/conf-online.html?search=mealy (and even better if you can find the 2016-2018 version of that talk which I think is even better and more detailed) ... View more

Re: splunk where condition

by in Splunk Search
‎03-17-2016 01:04 PM
1 Karma
‎03-17-2016 01:04 PM
1 Karma
You would need to extract that number as a field and then apply a filter based on that. Try something like this index="web" host="wjb2*ksc14*" sourcetype="jboss:serverLog" "Fetched 0 Browse Offers out of" | rex "Fetched 0 Browse Offers out of (?<fetchcount>\d+)" | where fetchcount>100 A better option would be save this field extraction in the props.conf so that you directly filter in the base search. ... View more
Contact Me
Online Status
Offline
Date Last Visited
‎02-29-2024 04:23 PM
Karma given to
View All