This is the main processing difference between the commands. If you do not use the quotes this will be processed as the field name and not as a string value.įor example, if you want to filter results only where the value of “fieldA” equals to the value of “fieldB”: | where fieldA=fieldB While passing string objects in “where” command you need to use the quotes, like in “service%” or “%sql%”. I use quotes anyway for self-preference in more organized queries for any string objects that I use (does not matter if it is Splunk or other languages). The quotes in “search” command, like “service*” or “*sql*”, are not really needed, since I do not use any minor segmenters. Conducted another search with the same queries, but within a day range.Īgain “search” command was much faster, but took more space on the server. The queries above were with period of 2 hours. After that I did several more executions of the same queries with similar results. In addition, “where” command took much more time to execute: 45 seconds (where) against 11 seconds (search). We can see that “where” command was much excessive on the server resources: 191 MB (where) against 35 MB (search). The most important differences are server load and command execution speed in the Job Manager. Pipe Search Versus Where – Difference Points Query Execution Speed and Server Load The actual test index was much more complex, this is just an example. Service-sql-provision | service-sql-provision | test_domain | 3 | 438 Service-sql-append | service-sql-append | test_domain | 3 | 512 | stats values count(logtype) by AccountLow The Result ExampleĮxample result of both queries: AccountLow | values(Account) | values(domain) | values(logtype) | count(logtype) | where (like(AccountLow,"service%")) AND (like(AccountLow,"%sql%")) | stats values count(logtype) by AccountLowĢ. | fields domain LowAccount Account logtype | search Account="service*" Account="*sql*" First time I piped to “search” command and the second time to “where” command.ġ. Pipe Search Versus Where – The Test The queriesĮxecuted a query that search for all the service accounts (which contain “sql” in them) in the main index for certain 2 hours with Logon Type 3 events. You can check the response of your queries in Splunk “Job Manager”: Top panel => Let us see which command works faster and has less load on our Splunk test server. The actual test index is much more complex. The above just showing how the index is structured to understand the string manipulation in the following queries. Each one of them has several sub-groups: user-sql-*Īn example of a full user group of ten users: user-sql-lucyjĮach group can follow this example. The first group is for human user accounts and the second is for service accounts. Here is an example of an index (that we are going to query) with user login events, which has several groups of users. * Splunk Documentation – Write Better Search Queries * Splunk Documentation – Quick Optimization Tips If you are interested in more Splunk Enterprise search performance optimization, check the Splunk Documentation: Which resulted in no performance difference. In addition, did a performance comparison of using only the main search command against using main search with pipe search command. Meaning, for example, you can filter the results where “fieldA” values are bigger than “fieldB” values: | where fieldA > fieldB With both commands you can do the same, but only “where” command supports field to field comparison. The bottom line: “search” command is much faster on execution and less server “resource hungry” than “where”. We will explain both and see what is the difference. | whereĭecided to concentrate it in one article, including performance test.īoth commands behavior is similar – filter the results of the main search. There is plenty of information available online and Splunk documentation about pipe search versus where Splunk commands:Īffiliate: Experience limitless no-code automation, streamline your workflows, and effortlessly transfer data between apps with. What are the differences between pipe Search versus Where commands
0 Comments
Leave a Reply. |
Details
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |