Hi - I'm new to Splunk I am having a performance issue that causes a timeout over longer time spans on a base search I'm performing on a dashboard that uses a join. I have tried replacing the join with the suggested methods found here Here, Here and Here.
Unfortunately, I am unable to get it to work correctly and output the correct value I am getting from my join search. Perhaps this is because of the spath/rex extract commands I am using?
Note my actual search uses tokens however I have replaced them with asterisks to avoid any confusion.
Any help would be much appreciated!
My Code is:
index=ivr_app sourcetype="CEM-AppLog" rosterInfo
| rex "^(?:[^{]*){7}(?P<my_data>.+)"
| spath input=my_data output=vq path=TOD
| spath input=my_data output=steps path=steps{}
| spath input=my_data output=type path=type
| spath input=my_data output=virtualQueue path=virtualQueue
| spath input=my_data output=last_step path=steps{}
| eval res = mvindex(last_step,mvcount(last_step)-1)
| spath input=res output=name path=name
| spath input=res output=type path=type
| rex field=_raw "SN_CONTEXT_ID (?P<SN_CONTEXT_ID>[^\s]+) produced"
| dedup SN_CONTEXT_ID
| join type=inner SN_CONTEXT_ID[
search index=ivr_app "pipeline at completion" AND CALL_FLOW AND DNIS EXCHANGE NOT "NPS" NOT "TFRDEST" NOT TFRNUM NOT "SN_CONTACT_TYPE=Transfer" NOT "SN_TARGET_TYPE=Release" AND "SN_CONTACT_REASON=" AND SN_CALL_FLAGS="*" OR NOT SN_CALL_FLAGS="*"
| dedup SN_CONTEXT_ID CONNID
| foreach SN_CALL_FLAGS [ eval <<FIELD>> = if(isnull(<<FIELD>>) OR len(<<FIELD>>)==0, "NO_CALL_FLAG", <<FIELD>>) ]
| search CLI="*" AND CONNID="*" AND SN_CALL_FLAGS="*" AND DNIS="*"
]
| search type="Agent"
| stats count as countAgent
... View more
