I just found this to absolutely be the case, and was able to use this method to tune a bunch of my queries in one of my dashboards. My use-case is that I'm looking for a unique list of hosts reporting to a given index within a timeframe. Here's a small example of the efficiency gain I'm seeing: Using "dedup host" : scanned 5.4 million events in 171.24 seconds Using "stats max(_time) by host" : scanned 5.4 million events in 22.672 seconds I was so impressed by the improvement that I searched for a deeper rationale and found this post instead. I'm sure there's a sophisticated internal answer for this significantly improved execution path, but for now I'll just be happy that it works as well as it does.
... View more
So I would need a python command script that is submitting the search string inside of the script, this search command is sent to the Splunk API, processed, then I get the data back from that Splunk API call, then I resume processing the results from inside the python script to send to my outbound API call? And my whole SPL search string inside Splunk would be "| splunkcommand" ?
... View more
You'll want to use eval with CASE something like... index=<something> field=<whatever>
| eval ENV = CASE ( hostname LIKE "%DV%","DV", hostname LIKE "%TV%","TV",hostname LIKE "%","OTH")
| stats count by ENV
... View more