![]() Each one of them has several sub-groups: user-sql-*Īn example of a full user group of ten users: user-sql-lucyjĮach group can follow this example. The first group is for human user accounts and the second is for service accounts. Here is an example of an index (that we are going to query) with user login events, which has several groups of users. * Splunk Documentation – Write Better Search Queries * Splunk Documentation – Quick Optimization Tips If you are interested in more Splunk Enterprise search performance optimization, check the Splunk Documentation: Which resulted in no performance difference. In addition, did a performance comparison of using only the main search command against using main search with pipe search command. ![]() Meaning, for example, you can filter the results where “fieldA” values are bigger than “fieldB” values: | where fieldA > fieldB With both commands you can do the same, but only “where” command supports field to field comparison. The bottom line: “search” command is much faster on execution and less server “resource hungry” than “where”. We will explain both and see what is the difference. There is plenty of information available online and Splunk documentation about pipe search versus where Splunk commands: | whereĭecided to concentrate it in one article, including performance test.īoth commands behavior is similar – filter the results of the main search. ![]() ![]() What are the differences between pipe Search versus Where commands ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |