Quantcast
Channel: Questions in topic: "splunk-enterprise"
Viewing all articles
Browse latest Browse all 47296

Performance issue with query

$
0
0
Hi, I have a query written to find average exceptions per device on monthly basis for my use case. The query returns results as expected but the query performance is very poor. Below is the query and details on it. Request your help in optimising the query: index="79390-np" sourcetype=np-cache-v2 source="\*bp_detail*" [search index="79390-np" sourcetype=np-cache-v2 source="\*bp_detail*" | join bpRuleId [search index="79390-np" sourcetype=np-cache-v2 (source="\*bp_summary*" and bpPrimaryTechnology="\*" ) ]| join deviceId [ search index="79390-np" sourcetype=np-cache-v2 source="\*group_member*" groupId="*"] | fields deviceId]| eval month_num=strftime(_time,"%m") | eval Month=strftime(_time,"%b %Y")|stats dc(deviceId) as uniquedevices,dc(source) as sourcecount,count by Month|sort month_num| eval avgdeviceperupload=count/sourcecount | eval avguniquedevices = round(avgdeviceperupload/uniquedevices)| rename avguniquedevices as "Average Exceptions Per Device" | table Month,"Average Exceptions Per Device" , Details: sources:bp_detail,bp_summary,group_member. bp_detail fields: bpRuleId,deviceId bp_summary fields: bpRuleId,bpPrimaryTechnology group_members fields : groupId,deviceId Thanks

Viewing all articles
Browse latest Browse all 47296

Trending Articles



<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>