Dashboards & Visualizations
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Splunk Search - Taking more time to get the results, How would I make a more efficient search?

Vani_26
Path Finder
‎08-04-2022 03:22 PM

query:

index=xxx host=xx sourcetype=xxx source=xxx
|rex field  = -raw  "\MeasuStatus\:(?<Status>.*?)\|"
|where isnotnull(Status)
|eval Success=if(Status="0", "Done", null())
|eval Failed=if(Status!="0", "notDone", null())
|stats count(Sucess) as SuccessC count(Failed) as FailedC count(Status) as overall
|eval SuccessPerc=(SuccessC/overall) *100
|eval SucessPercentage=round(SucessPerc,2)
|table SucessPercentage



The above query is working fine, But i want to modify the query to run in less time because now it is taking more time to get the results.
Can any one suggest.

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

martinpu
Communicator
‎08-04-2022 03:50 PM 
index=xxx host=xx sourcetype=xxx source=xxx MeasuStatus
|rex field  = -raw  "\MeasuStatus\:(?<Status>.*?)\|"
|where isnotnull(Status)
|eval Success=if(Status="0", "Done", null())
|eval Failed=if(Status!="0", "notDone", null())
|stats count(Sucess) as SuccessC count(Failed) as FailedC count(Status) as overall
|eval SuccessPerc=(SuccessC/overall) *100
|eval SucessPercentage=round(SucessPerc,2)
|table SucessPercentage

 Add your keyword to the base query. How many events are retrieved for e.g. if you search 1 hour?

 

Move your field extraction from REX to field extractions and then search using Status=*


This query should run pretty fast, how long is taking on average and for what timeframe?

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

martinpu
Communicator
‎08-04-2022 03:50 PM 
index=xxx host=xx sourcetype=xxx source=xxx MeasuStatus
|rex field  = -raw  "\MeasuStatus\:(?<Status>.*?)\|"
|where isnotnull(Status)
|eval Success=if(Status="0", "Done", null())
|eval Failed=if(Status!="0", "notDone", null())
|stats count(Sucess) as SuccessC count(Failed) as FailedC count(Status) as overall
|eval SuccessPerc=(SuccessC/overall) *100
|eval SucessPercentage=round(SucessPerc,2)
|table SucessPercentage

 Add your keyword to the base query. How many events are retrieved for e.g. if you search 1 hour?

 

Move your field extraction from REX to field extractions and then search using Status=*


This query should run pretty fast, how long is taking on average and for what timeframe?

0 Karma
Reply
Solved! Jump to solution

Vani_26
Path Finder
‎08-04-2022 09:30 PM

This is a dashboard query, it is taking around 10mins to load the panel. 

Here in raw data status is mentioned as status:1002

Time range 7 days

 

Is there any possibility to use tstats term and prefix in the query.

0 Karma
Reply
Get Updates on the Splunk Community!

Prove Your Splunk Prowess at .conf25—No Prereqs Required!

Your Next Big Security Credential: No Prerequisites Needed We know you’ve got the skills, and now, earning the ...

Splunk Observability Cloud's AI Assistant in Action Series: Observability as Code

This is the sixth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how to ...

Splunk Answers Content Calendar, July Edition I

Hello Community! Welcome to another month of Community Content Calendar series! For the month of July, we will ...