cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
cmontanari
Explorer
Member since: ‎01-26-2022
‎01-31-2022
Community Statistics
Posts 3
Solutions 0
Karma Given 3
Karma Received 0
Member Since ‎01-26-2022
Activity Feed
View All

Re: Optimize query that hits disk usage limit when...

by in Splunk Search
‎01-27-2022 12:11 PM
‎01-27-2022 12:11 PM
Thank you! Your message made me realize I could write the query in another way. This is where I landed after the changes suggested by @yuanliu  + your message: match some stuff | fields _time,ResponseStatus,RequestName | fields - _raw | bucket _time span=1d | eval ResponseStatus=if(isnull(ResponseStatus), 504, ResponseStatus) | eventstats count as "total" by _time | stats count first(total) as "total" by _time, ResponseStatus | eval percent=(count/total)*100 | timechart span=1d first(percent) by ResponseStatus  Most likely further improvements can be made here as well, but as long as it is not hitting the disk threshold I'm happy with it 🙂  ... View more

Re: Optimize query that hits disk usage limit when...

by in Splunk Search
‎01-27-2022 12:01 PM
‎01-27-2022 12:01 PM
Thank you! Converting that eventstats into stats made it work. The use of table didn't seem to have an impact on performance overall  ... View more

Optimize query that hits disk usage limit when com...

by in Splunk Search
‎01-26-2022 11:06 AM
‎01-26-2022 11:06 AM
Hi All, What I'm trying to do is to have a chart with time on x-axis and percentages by ResponseStatus on y-axis.  To do that I come up with the below Splunk search query:     match some http requests | fields _time,ResponseStatus,RequestName | eval Date=strftime(_time, "%m/%d/%Y") | eval ResponseStatus=if(isnull(ResponseStatus), 504, ResponseStatus) | eventstats count as "totalCount" by Date | eventstats count as "codeCount" by Date,ResponseStatus | eval percent=round((codecount/totalCount)*100) | chart values(percent) by Date,ResponseStatus      But it is hitting the disk usage limit (500MB - which I can't increase) for a 10 days interval. And I'd like to be able to have this on a 3/4 months interval. What I have noticed is that If I only run the match part of the query, I get all the events without hitting any disk limit, which makes me think the problem is with the counting and group by part of the query. My guess is that Splunk is making the computation by keeping in-memory (or, trying to do so and eventually swapping to disk) the full event message even if I specified the useful fields via the fields command.  Is there any way to either effectively have Splunk ignore all the remaining part of the message or obtain the same result via a different path? Thanks a lot! ... View more
Labels
Contact Me
Online Status
Offline
Date Last Visited
‎01-31-2022 01:05 PM
Karma given to
View All