Hi,
I have a query written to find average exceptions per device on monthly basis for my use case. The query returns results as expected but the query performance is very poor. Below is the query and details on it. Request your help in optimising the query:
index="79390-np" sourcetype=np-cache-v2 source="\*bp_detail*" [search index="79390-np" sourcetype=np-cache-v2 source="\*bp_detail*" | join bpRuleId [search index="79390-np" sourcetype=np-cache-v2 (source="\*bp_summary*" and bpPrimaryTechnology="\*" ) ]| join deviceId [ search index="79390-np" sourcetype=np-cache-v2 source="\*group_member*" groupId="*"] | fields deviceId]| eval month_num=strftime(_time,"%m") | eval Month=strftime(_time,"%b %Y")|stats dc(deviceId) as uniquedevices,dc(source) as sourcecount,count by Month|sort month_num| eval avgdeviceperupload=count/sourcecount | eval avguniquedevices = round(avgdeviceperupload/uniquedevices)| rename avguniquedevices as "Average Exceptions Per Device" | table Month,"Average Exceptions Per Device"
,
Details:
sources:bp_detail,bp_summary,group_member.
bp_detail fields: bpRuleId,deviceId
bp_summary fields: bpRuleId,bpPrimaryTechnology
group_members fields : groupId,deviceId
Thanks
↧