Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Search optimization for rare event and date other than _time

yogip86
Explorer
‎06-25-2020 06:37 AM

I am want to improve the response time for search with rare event and searching with date variable.

Note: I am interested in latest 500 event only. Here "local date" is other than _time variable. For _time is set on other date variable in event which i we can't change.

Scenario 1 : 

index="ABC" earliest=-120d sourcetype="XYX" flag = "Y" xxnumber="8XV5F5FF4"
| head 500| fields id

This search has completed and has returned 6 results by scanning 18 events in 0.254 seconds

Scenario 2 : 

index="ABC" earliest=-120d sourcetype="XYX" flag = "Y" local_date="2020-06-01 00:00:00"
| head 500| fields d

This search has completed and has returned 22 results by scanning 469,911 events in 25.058 seconds 

 Scenario 3: Rare events

index="ABC" earliest=-120d sourcetype="XYX" flag = "Y" local_date>="2020-06-15 00:00:00"
| head 500| fields id

This search has completed and has returned 57 results by scanning 2,943,130 events in 67.789 seconds

if we use any other filter than date filter (which is other than _time) takes less time (less than seconds). 

Can any one suggest how i can get better response time with date filters.?

Labels (1)
Labels
Tags (1)
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎06-25-2020 07:54 AM

Comparing date strings for > or < won't work as expected.  Try converting them to integers.

index="ABC" earliest=-120d sourcetype="XYX" flag = "Y" local_date=*
| eval local_epoch = strptime(local_date, "%Y-%m-%d %H:%M:%S")
| where local_epoch >= strptime("2020-06-15 00:00:00", "%Y-%m-%d %H:%M:%S")
| head 500| fields id
---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

yogip86
Explorer
‎06-25-2020 08:23 AM

@richgalloway i just tried this .. its taking almost similar time..  

This search has completed and has returned 57 results by scanning 2,943,130 events in 72.464 seconds

0 Karma
Reply
Get Updates on the Splunk Community!

Updated Team Landing Page in Splunk Observability

We’re making some changes to the team landing page in Splunk Observability, based on your feedback. The ...

New! Splunk Observability Search Enhancements for Splunk APM Services/Traces and ...

Regardless of where you are in Splunk Observability, you can search for relevant APM targets including service ...

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...