spotnexus.blogg.se - Splunk subsearch tutorials

#Splunk subsearch tutorials how to#

You now need to run another search to determine how many different products the VIP shopper has purchased.

These are the default fields that are returned with the top command. The search also returns a count and a percent. This search returns one clientip value, 87.194.216.51, which you will use to identify the VIP shopper. The clientip argument specifies the field to return. The limit=1 argument specifies to return 1 value. Sourcetype=access_* status=200 action=purchase | top limit=1 clientip

To find the shopper who accessed the online shop the most, use this search.

Use the top command to return the most frequent shopper. You want to find the single most frequent shopper on the Buttercup Games online store and what that shopper has purchased.

#Splunk subsearch tutorials how to#

Example 2 shows how to find the most frequent shopper with a subsearch. Example 1 shows how to find the most frequent shopper without a subsearch. The following examples show why a subsearch is useful. Let's find the single most frequent shopper on the Buttercup Games online store, and what that shopper has purchased. Subsearches are enclosed in square brackets within a main search and are evaluated first. The result of the subsearch is then used as an argument to the primary, or outer, search. For this given query, the results come faster without using in-built optimizations.In this section you will learn how to correlate events by using subsearches.Ī subsearch is a search that is used to narrow down the set of events that you search on. The next screen gives us the result of using no optimization. In the below diagram, we use the No Optimization command presented as noop in the search query. In case it is better, we may always choose this option of turning off the optimization for only this specific search. The result may or may not be better than the in-built search. We can also turn off the in-built optimization and notice the difference in the time taken for the search result. Here, we need to note the number of events and the time taken to return the result. The next screen gives details of the optimization that has occurred for the above query. We follow the path of Search → Job → Inspect Job to get these details as shown below − We can verify how long the search took to return a specific number of search results and if needed can go on to check each and every step of the optimization along with the cost associated with it. When we put this search query in the search box, the built-in optimizers act automatically to decide the path of the search. ExampleĬonsider a search operation to find the events which contain the words: fail, failed or password.

It also gives us the cost of the various steps involved in the search operations.

These tools help us figure out how the filter conditions are used and what is the sequence of these optimisation steps. Splunk has given us tools to analyse how the search optimization works. Parallel Processing − The built-in optimizations can reorder search processing, so that as many commands as possible are run in parallel on the indexers before sending the search results to the search head for final processing. This early filter avoids unnecessary lookup and evaluation calculations for events that are not part of final search results. This efficiency is mainly achieved through the following two optimization goals −Įarly Filtering − These optimizations filter the results very early so that the amount of data getting processed is reduced as early as possible during the search process. Splunk already includes the optimization features, analyses and processes your searches for maximum efficiency.