Dashboards & Visualizations
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Splunk Search - Taking more time to get the results, How would I make a more efficient search?

Vani_26
Path Finder
‎08-04-2022 03:22 PM

query:

index=xxx host=xx sourcetype=xxx source=xxx
|rex field  = -raw  "\MeasuStatus\:(?<Status>.*?)\|"
|where isnotnull(Status)
|eval Success=if(Status="0", "Done", null())
|eval Failed=if(Status!="0", "notDone", null())
|stats count(Sucess) as SuccessC count(Failed) as FailedC count(Status) as overall
|eval SuccessPerc=(SuccessC/overall) *100
|eval SucessPercentage=round(SucessPerc,2)
|table SucessPercentage



The above query is working fine, But i want to modify the query to run in less time because now it is taking more time to get the results.
Can any one suggest.

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

martinpu
Communicator
‎08-04-2022 03:50 PM 
index=xxx host=xx sourcetype=xxx source=xxx MeasuStatus
|rex field  = -raw  "\MeasuStatus\:(?<Status>.*?)\|"
|where isnotnull(Status)
|eval Success=if(Status="0", "Done", null())
|eval Failed=if(Status!="0", "notDone", null())
|stats count(Sucess) as SuccessC count(Failed) as FailedC count(Status) as overall
|eval SuccessPerc=(SuccessC/overall) *100
|eval SucessPercentage=round(SucessPerc,2)
|table SucessPercentage

 Add your keyword to the base query. How many events are retrieved for e.g. if you search 1 hour?

 

Move your field extraction from REX to field extractions and then search using Status=*


This query should run pretty fast, how long is taking on average and for what timeframe?

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

martinpu
Communicator
‎08-04-2022 03:50 PM 
index=xxx host=xx sourcetype=xxx source=xxx MeasuStatus
|rex field  = -raw  "\MeasuStatus\:(?<Status>.*?)\|"
|where isnotnull(Status)
|eval Success=if(Status="0", "Done", null())
|eval Failed=if(Status!="0", "notDone", null())
|stats count(Sucess) as SuccessC count(Failed) as FailedC count(Status) as overall
|eval SuccessPerc=(SuccessC/overall) *100
|eval SucessPercentage=round(SucessPerc,2)
|table SucessPercentage

 Add your keyword to the base query. How many events are retrieved for e.g. if you search 1 hour?

 

Move your field extraction from REX to field extractions and then search using Status=*


This query should run pretty fast, how long is taking on average and for what timeframe?

0 Karma
Reply
Solved! Jump to solution

Vani_26
Path Finder
‎08-04-2022 09:30 PM

This is a dashboard query, it is taking around 10mins to load the panel. 

Here in raw data status is mentioned as status:1002

Time range 7 days

 

Is there any possibility to use tstats term and prefix in the query.

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...

Get the T-shirt to Prove You Survived Splunk University Bootcamp

As if Splunk University, in Las Vegas, in-person, with three days of bootcamps and labs weren’t enough, now ...

Wondering How to Build Resiliency in the Cloud?

IT leaders are choosing Splunk Cloud as an ideal cloud transformation platform to drive business resilience,  ...