Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Is there SPL's worst practice?

to4kawa
Ultra Champion
‎05-04-2020 11:51 PM

I've seen a lot of join, transaction and append SPLs.
Using timechart to show percentage of each time, it's hard. but everybody wants to do it.

I think you didn't have to use that SPL.

There is a best practice, but I don't know worst practice

Is there SPL's worst practice? or Can you tell me what's wrong with this way of using it?

Labels (3)
Labels
Tags (1)
Reply
1 Solution
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎05-05-2020 12:19 AM

Hi @to4kawa,
i didn't find a worst practice guide and I'm agree that it could be useful, especially for the new entries: e.g. all the people that worked with SQL and approach Splunk, start using join command in searches!
Anyway a worst practices is surely the opposite of a best practice, and I didn't find a structured guide neither to this, only some hints in a course that I followed at the beginning.
And in addition, i don't think that someone in Splunk can say that there's a worst practice: it isn't a good marketing approach!

In my experience, I try to avoid some features for performace reasons or symply to have a more readable code, these are the main worst practices I avoid:

  • I try to avoid transaction and join commands every time I can and this is the main worst prectice!
  • I usually use append (with attention to the number of subsearch results) without problems.
  • I don't like automatic lookups so as not to lose the thread of logic of a search.
  • I don't like to use DB-Connect (I use it only if I'm forced!) for security reasons and I prefer to use an export of data on a file.

Then there's something else, but less important:

  • i don't like to use Field Extractor, I prefer to create fields using regexes.
  • i don't like to have different different eval for each field transformation, I prefer to have one eval.
  • i don't like to leave the token's name in the time picker.
  • etc...

Ciao.
Giuseppe

View solution in original post

Reply
Solved! Jump to solution

lloydknight
Builder
‎05-05-2020 03:27 PM

hello @gcusello

I don't like automatic lookups so as not to lose the thread of logic of a search.

About this one worst practice, I understand that this facility has a performance impact but this is always being catered on the intro courses. What alternatives will you recommend should we avoid automatic lookups aside from using | inputlookup ?

Sorry for this question under a comment.

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎05-05-2020 11:15 PM

Hi @lloydknight,
I don't use automatic lookups, I prefer to use in searches the lookup command.

my hint is only related to automatic lookups not to lookups.

Ciao.
Giuseppe

0 Karma
Reply
Solved! Jump to solution

martin_mueller
SplunkTrust
SplunkTrust
‎05-08-2020 01:10 AM

I'd say using automatic lookups is good practice.

  • avoids duplication of SPL when the lookup is used in multiple searches
  • reduces the knowledge a searcher needs to have, they can just look at the events and see the output fields instead of having to know about the lookup file
  • usually no negative performance impact
0 Karma
Reply
Get Updates on the Splunk Community!

Enter the Splunk Community Dashboard Challenge for Your Chance to Win!

The Splunk Community Dashboard Challenge is underway! This is your chance to showcase your skills in creating ...

.conf24 | Session Scheduler is Live!!

.conf24 is happening June 11 - 14 in Las Vegas, and we are thrilled to announce that the conference catalog ...

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...