본문 바로가기
Splunk

스플렁크 join 대체

by 앗사비 2024. 1. 22.
728x90

https://community.splunk.com/t5/Splunk-Search/Alternative-method-to-using-Join-command/m-p/532978
join은 느리고 결과값 개수가 제한되어 권장되지 않는다

 

---

 

다음 두가지는 결과가 동일하다

 

 

join 방식

index="log_pd_com" uri_path IN (/pd/install) 
| stats dc(clientip) as inst_device by clientip 
| join type=left clientip 
    [ search index="log_pd_com" uri_path IN (/pd/uninstall) 
    | stats dc(clientip) as uninst_device by clientip]

 

 

join 대신 stats 사용

index="log_pd_com" uri_path IN (/pd/install, /pd/uninstall) 
| stats count by clientip, uri_path 
| rex field=uri_path "^/[^/]+/(?<path_type>.*)$" 
| eval inst_device = if(path_type="install", 1, NULL) 
| eval uninst_device = if(path_type="uninstall", 1, NULL) 
| stats values(inst_device) as inst_device values(uninst_device) as uninst_device by clientip 
| where inst_device=1

 

---

 

https://conf.splunk.com/files/2020/slides/TRU1761C.pdf

Stats 와 lookups 가 첫 번째 도구가 되어야 합니다.
Append/appendcols/join 및 transaction 은 최후의 수단이 되어야 합니다.

---

https://www.splunk.com/en_us/blog/tips-and-tricks/spl-with-no-joins.html

728x90

'Splunk' 카테고리의 다른 글

스플렁크로 리텐션 구하기  (0) 2024.02.14
스플렁크에서 nps 계산하는 쿼리  (0) 2024.01.25
스플렁크 서브서치  (1) 2023.12.18
스플렁크 쿼리 결과 가져오기 (python)  (0) 2023.11.10
스플렁크 메모  (0) 2022.03.03