![]() One thing you could also do is change the sub-search to something. Perhaps limiting the results from summary index can return fewer results and thereby produce faster search times. Index=_internal | eval foo=_cd | fields foo | join foo Įxplanation: I'm not sure why, but even in Fast Mode, without the 'fields foo' term in the main search, all of the event fields are returned, and search performance suffers.Įxecution time for 3 invocations (seconds): 4.879, 4.895, 4.642Įxplanation: By returning only the fields we care about, search performance is much better.Įxecution time for 3 invocations (seconds): 1.921, 1.949, 1.889Ĭonclusion: When using /join/, be sure to use /fields/ as well, in both the main search and the subsearch. If you have 3.8m events in the summary index, do you want to check for all users in the index or only active users or users logged/accessed in the last 7 days or so. For larger queries and events, this can make a substantial difference.Įxecution time for 3 invocations (seconds): 5.585, 5.576, 5.302 Index=_internal | eval foo=_cd | join foo Įxplanation: The join command returns all of the fields back to the browser. For this join, I am using the default field _cd, which is not shown in the regular Splunk web search UI, so I copied the field to foo. ![]() Not a real-world example, but it is sufficient to demonstrate the principal. In order to provide a generic example, I am using the _internal index joined to the _internal index itself. I had a vaguely similar problem a few weeks ago. The join command is used to merge the results of a sub search. If no fields are specified, all fields that are shared by both result sets will be used. Read more about subsearches in the online documentation. commands such as join, append, or appendcols. When set to 0: Specifies an unlimited number of values. Optionally specifies the exact fields to join on. maxvalues Maximum number of values for any field to keep track of.In your query, just write join max0 SessionId in place of join SessionId. Description: Specifies the maximum number of subsearch results that each main search result can join with. The traditional join command joins the results from the main results pipeline with the search pipeline results provided as the last argument. The eventstats search processor uses a nf file setting named maxmemusagemb to limit how much memory the eventstats command can use to keep track of information. The join command contains an option called maxint that is used to specify how many subsearch results can join with main search results. I will demonstrate this situation an unusual query. The eventstats command is a dataset processing command. I was recently exploring the performance impact of the join command and I wanted to share my findings. Although it's often possible-and recommended-to avoid the join command, sometimes it is necessary to use join.
0 Comments
Leave a Reply. |
Details
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |