Hi,
I am pretty new to Splunk and wanted to know how to determine the performance of a query? Is it through the "Inspect Job" option?
And also, can anyone help me with optimizing the following query or is it already optimized?:
index = "example"
|lookup Lookup_1 RecordNumber OUTPUT Location, VIP_Guest_Number
|search Location != ""
|eval Guest_Name=upper(Guest_LN) + ", "+upper(Guest_FN)
|lookup Lookup_2 "User ID" as UID OUTPUT "Department Name" as Department, "Institution" as Institution, Title, Manager as MUID
|table Arrival_Date, UID, User_Name, RecordNumber, Guest_Name, Location, VIP_Guest_Number, Metric_Name, Department, Institution, Title, MUID
This query takes about 220 seconds (as seen on the Inspect Job tab) to generate results when given around 12-13 million rows.
Is there any way I can make it work faster or is it what it is?
Thank you in advance
... View more