Hi there,
I am trying to decide which Splunk command I should use to give better long-term performance on the search and the search head and am looking for advice. The functions are `join type=left` OR `appendcols override=true`. The goal is to see information that may or may not be in both searches (saw page hits in the last 30 days but no hits to that page today)
**Example result**
field1 field 2 field3 Last 30 Day Total Last 30 Days % Today % Today Total
website1 URL1 Page1 40618 8.605436 7.814981 1083
website1 URL2 Page2 6 0.001271
website2 URL1 Page1 95650 12.050409
website2 URL2 Page2 43862 5.525928 8.103728 50
**I have a search with the left join**
index=abc data=billing scoring_type=decisioned latest=@d earliest=-30d@d| top field1, field2 by field3 countfield="Last 30 Day Total" percentfield="Last 30 Days %" | join type=left [search index=abc data=billing latest=now earliest=@d| topfield1, field2 by field3 countfield="Today Total" percentfield="Today %"]
**And then the same search using `appendcols override=true`**
index=abc latest=@d earliest=-30d@d| top field1, field2 by field3 countfield="Last 30 Day Total" percentfield="Last 30 Days %" |appendcols override=true [search index=abc latest=now earliest=@d| topfield1, field2 by field3 countfield="Today Total" percentfield="Today %"]
Both searches give me the results I am looking for, but they are both long running and I want to know performance-wise which is the better method.
Thanks for the responses
msmapper
↧