Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- About patng323
patng323
Explorer
Member since:
04-26-2013
06-05-2020
Community Statistics
| Posts | 14 |
| Solutions | 0 |
| Karma Given | 2 |
| Karma Received | 0 |
| Member Since | 04-26-2013 |
Activity Feed
- Karma Re: Invalid earliest_time error using the java SDK for sklass. 06-05-2020 12:47 AM
- Karma Re: How do I configure a Splunk Forwarder on Linux? for MillerTime. 06-05-2020 12:46 AM
- Posted Re: Invalid earliest_time error using the java SDK on Getting Data In. 11-28-2016 05:17 PM
- Posted Re: Why am I seeing very different search performance between two indexed fields in two similar searches? on Splunk Search. 10-18-2016 06:15 AM
- Posted Re: Why am I seeing very different search performance between two indexed fields in two similar searches? on Splunk Search. 10-18-2016 01:52 AM
- Posted Re: Why am I seeing very different search performance between two indexed fields in two similar searches? on Splunk Search. 10-17-2016 05:11 PM
- Posted Re: Why am I seeing very different search performance between two indexed fields in two similar searches? on Splunk Search. 10-17-2016 04:43 PM
- Posted Why am I seeing very different search performance between two indexed fields in two similar searches? on Splunk Search. 10-17-2016 09:00 AM
- Tagged Why am I seeing very different search performance between two indexed fields in two similar searches? on Splunk Search. 10-17-2016 09:00 AM
- Tagged Why am I seeing very different search performance between two indexed fields in two similar searches? on Splunk Search. 10-17-2016 09:00 AM
- Tagged Why am I seeing very different search performance between two indexed fields in two similar searches? on Splunk Search. 10-17-2016 09:00 AM
- Tagged Why am I seeing very different search performance between two indexed fields in two similar searches? on Splunk Search. 10-17-2016 09:00 AM
- Tagged Why am I seeing very different search performance between two indexed fields in two similar searches? on Splunk Search. 10-17-2016 09:00 AM
- Posted Re: dedup gives different result if a 'table' command is used before it. A bug?? on Splunk Search. 10-14-2016 09:13 AM
- Posted Re: dedup gives different result if a 'table' command is used before it. A bug?? on Splunk Search. 10-14-2016 07:56 AM
- Posted Re: dedup gives different result if a 'table' command is used before it. A bug?? on Splunk Search. 10-13-2016 08:21 AM
- Posted Re: dedup gives different result if a 'table' command is used before it. A bug?? on Splunk Search. 10-13-2016 08:11 AM
- Posted Re: dedup gives different result if a 'table' command is used before it. A bug?? on Splunk Search. 10-13-2016 08:07 AM
- Posted dedup gives different result if a 'table' command is used before it. A bug?? on Splunk Search. 10-12-2016 07:53 PM
- Tagged dedup gives different result if a 'table' command is used before it. A bug?? on Splunk Search. 10-12-2016 07:53 PM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 0 |
11-28-2016
05:17 PM
The same problem happens in the splunk CLI tool.
... View more
10-18-2016
06:15 AM
@acharlieh, thanks for being the moderator, and sorry if I was causing trouble. However, when I post my comment, it went thru successfully without any warning.. But when I refreshed the page, my comment suddenly disappeared. That's why I did repeated reposts because I thought there was a bug in the system (actually the lack of warning was indeed a bug). Next time when it happened again I will know it's a forum bug and will wait.
... View more
10-18-2016
01:52 AM
Thanks for that, but after I inspected the search log of both searches, I hope I am a step closer to the root cause.
Comparing the search log from the fast search (using uriBasePhp) and the slow search (using apiClass2), I found a big difference:
Fast:
10-18-2016 16:12:12.550 INFO LocalCollector - Final required fields list = subsecond,index,prestats_reserved,psrsvd_,uriBasePhp
10-18-2016 16:12:12.550 INFO UserManager - Unwound user context: admin -> NULL
10-18-2016 16:12:12.550 INFO UserManager - Setting user context: admin
10-18-2016 16:12:12.550 INFO UserManager - Done setting user context: NULL -> admin
10-18-2016 16:12:12.550 INFO UnifiedSearch - snapped earliest=1472659201 based on index min times
10-18-2016 16:12:12.550 INFO BatchSearch - Recategorizing indextest5~2~662F7CD7-EFD9-432E-867D-4901863BDEDC as non-restartable for responsiveness.
10-18-2016 16:12:12.550 INFO BatchSearch - Searching index:indextest5 with LISPY:'[ AND uribasephp::/product.php ]'
10-18-2016 16:12:12.550 INFO DatabaseDirectoryManager::Bucket - use_bloomfilter = true
10-18-2016 16:12:12.677 INFO SearchOperator:kv - no fields required. Running only non-optimizeable extractions ...
Slow:
10-18-2016 15:57:48.658 INFO LocalCollector - Final required fields list = BUFFER_POOL_AND_MEMORY,Message,raw,_subsecond,apiClass2,dest_ip,dest_mac,dest_nt_host,host,index,prestats_reserved,psrsvd_,source,src_dns,src_ip,uri
10-18-2016 15:57:48.658 INFO UserManager - Unwound user context: admin -> NULL
10-18-2016 15:57:48.658 INFO UserManager - Setting user context: admin
10-18-2016 15:57:48.658 INFO UserManager - Done setting user context: NULL -> admin
10-18-2016 15:57:48.658 INFO UnifiedSearch - snapped earliest=1472659201 based on index min times
10-18-2016 15:57:48.658 INFO BatchSearch - Recategorizing indextest5~2~662F7CD7-EFD9-432E-867D-4901863BDEDC as non-restartable for responsiveness.
10-18-2016 15:57:48.658 INFO BatchSearch - Searching index:indextest5 with LISPY:'[ AND product ]'
As seen in the bold part of the log, in the "slow" case, somehow Splunk decided to:
- Get more fields than I ask it to get (e.g. dest_ip, dest_mac, src_ip, etc.)
- Not to search from the indexed field apiClass2
But why??? How can I fix it? I have also shared the two search log files in https://goo.gl/6X02r2
... View more
10-17-2016
05:11 PM
Additional info (thanks to lguinn):
- Number of events in the sample data: 11M
- 1st field - uriBasePhp - has 614 unique values
- 2nd field - apiClass2 - has 18 unique values
... View more
10-17-2016
04:43 PM
lguinn, thanks a lot for the great explanation. For the indexed field (apiClass2) which doesn't give good performance, it has a very low uniqueness (only 18 distinct values, among a sample data of 11M events), and that's why we think we could speed things up a lot by creating an indexed field.
For the faster field (uriBasePhp), which we saw a 5x speed improvement after using indexed-field, it actually contains 614 distinct values, which is also low IMO.
Both fields will be used in real searches regularly, and that's why I was puzzled why indexing apiClass2 didn't help the perf at all.
... View more
10-17-2016
09:00 AM
I have two indexed fields. When I search using the 1st field, the performance is great. However, when I search using the 2nd field, the performance is bad, as slow as if it's not an indexed field.
I have done lots of troubleshooting but I still couldn't figure out why. Let me show what I did.
My transforms.conf:
[nw-uriBasePhp]
REGEX = ^[^\t]+\t[^\t]+\t[^\t]+\t(?:[A-Z]+)\ (\/[^\s\?]*\.php)
FORMAT = uriBasePhp::$1
WRITE_META = True
[nw-apiClass2]
REGEX = ^[^\t]+\t[^\t]+\t[^\t]+\t(?:[A-Z]+)\ \/[^\s\?]*api\.php\S*[?&]class\=([^\s&]+)
FORMAT = apiClass2::$1
WRITE_META = True
And below are related fragments from my props.conf and fields.conf:
props.conf:
[my_web3]
TRANSFORMS-nw = nw-uriBasePhp,nw-apiClass2
fields.conf:
[uriBasePhp]
INDEXED=true
[nw-apiClass2]
INDEXED=true
I have verified that both fields are successfully indexed by using the tstats command.
| tstats count WHERE index=indextest5 uriBasePhp="/product.php"
| tstats count WHERE index=indextest5 apiClass2="product"
Both searches return non-zero, which is good as it shows they're both indexed fields.
Then I run a search using the first field.
index=indextest5 uriBasePhp="/product.php" | stats count
The performance is good (5 times faster than a non-indexed version of the search).
Duration Component Invocations Input Count Output Count
10.69 command.search 64 - 769,860
9.51 command.search.rawdata 63 - -
0.35 command.search.kv 63 - -
0.31 command.search.filter 63 - -
However, when I run a similar search using the other indexed field:
index=indextest5 apiClass2="product" | stats count
The performance is not good (it's just similar to what I got if I search using a non-indexed field):
Duration Component Invocations Input Count Output Count
19.76 command.search 334 - 384,286
9.08 command.search.rawdata 333 - -
5.38 command.search.filter 333 - -
4.08 command.search.kv 333 - -
What I don't understand is, each search involves only a single indexed field, but somehow the 2nd search spent lots of time in command.search.filter and command.search.kv , which is totally unexpected.
What else can I do to figure out what things caused those command.search.filter and command.search.kv in my 2nd search?
... View more
10-14-2016
09:13 AM
Again, |table *|dedup id, _time|stats count and |fields *|dedup id, _time|stats count give different results, with the table answer always larger than the fields one.
And there are many other fields in the events.
... View more
10-14-2016
07:56 AM
If I run this:
index=myindex earliest=-5d@d latest=@d |
bin _time span=1d | search id=* AND _time=* |
table id, _time | stats dc(id) by _time
I got identical results without or without the table command. But again, replace dc by dedup id, _time | stats count then I got different answer when I have the table .
Regarding the worry that "table is only bringing back two fields, as a try I changed that part to table id, _time, host, source , but still the problem is isn't resolved. So I think it's not about "table is only bringing back two fields".
... View more
10-13-2016
08:21 AM
To make sure there isn't any "missing values"-related problem, I changed my queries to:
index=myindex earliest=-5d@d latest=@d |
bin _time span=1d | search id=* AND _time=* |
dedup id, _time | stats count
AND
index=myindex earliest=-5d@d latest=@d |
bin _time span=1d | search id=* AND _time=* |
table id, _time | dedup id, _time | stats count
But once again, they gave different result (794 and 798 respectively). 😞
... View more
10-13-2016
08:11 AM
Thanks. Actually I tried your first one as well and it also gave 794, the same answer from the query without the fields id, _time part.
... View more
10-13-2016
08:07 AM
Thanks, but I don't think the event list was changing because the events are updated once a day in a nightly batch job. And I switched between these two queries many times (to debug them) and I always got back 794 and 798 respectively.
And since I use the @d in both the earliest and latest , the time range was fixed while I was debugging it.
... View more
10-12-2016
07:53 PM
In an running a command which uses the dedup command:
index=myindex earliest=-5d@d latest=@d |
bin _time span=1d |
dedup id, _time | stats count
The above query returns 794.
However, if I add a table command before dedup:
index=myindex earliest=-5d@d latest=@d |
bin _time span=1d |
table id, _time | dedup id, _time | stats count
The result is 798! This really puzzles me as I don't expect the table command will change my answer. Am I missing something? Or is it a bug?
... View more
09-13-2016
01:04 AM
I am using DB Connect v2, talking to a MySql database. When I configure the "DB Output operation", in the step "Map the Splunk Fields to Table Columns", there is a checkbox called UPSERT, which is excellent! However, I am asked to pick to one field which is the Unique Key. However, my table has a composite key (composed of 3 fields).
Does DB Connect v2 "DB Output" support composite key when I use UPSERT?
Patrick
... View more
09-08-2016
08:37 AM
I have a form with this input:
<input type="time" token="time_tok">
<label>Time Range</label>
<default>
<earliest>-60d@d</earliest>
<latest>@d</latest>
</default>
<change>
<condition value="now">
<set token="time_tok.latest">@d</set>
</condition>
</change>
</input>
What I want to do is that, whenever someone picks a time range where time_tok.latest is "now", I will force it back to @d (because our index won't contain today data). However, for time input, I don't know how to compare the latest part of the value . The above code doesn't work.
Does anyone know the right way?
Patrick
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
06-05-2020
02:03 AM
|
