Hi I am pretty new to Splunk and wanted to know how to determine the performance of a query ? Is it through the "Inspect Job" option.
And also i can anyone help me with optimizing the following query or is it already optimized:
index = "example"
|lookup Lookup_1 RecordNumber OUTPUT Location, VIP_Guest_Number
|search Location != ""
|eval Guest_Name=upper(Guest_LN) + ", "+upper(Guest_FN)
|lookup Lookup_2 "User ID" as UID OUTPUT "Department Name" as Department, "Institution" as Institution, Title, Manager as MUID
|table Arrival_Date, UID, User_Name, RecordNumber, Guest_Name, Location, VIP_Guest_Number, Metric_Name, Department, Institution, Title, MUID
This query takes about 220 seconds (As seen on Inspect Job tab) to generate results when given around 12-13 million rows. Is there any way i can make it work faster or is it what it is !!
Thank you in advance
↧