스플렁크 join 대체

https://community.splunk.com/t5/Splunk-Search/Alternative-method-to-using-Join-command/m-p/532978
join은 느리고 결과값 개수가 제한되어 권장되지 않는다

 

---

 

다음 두가지는 결과가 동일하다

 

 

join 방식

index="log_pd_com" uri_path IN (/pd/install) 
| stats dc(clientip) as inst_device by clientip 
| join type=left clientip 
    [ search index="log_pd_com" uri_path IN (/pd/uninstall) 
    | stats dc(clientip) as uninst_device by clientip]

 

 

join 대신 stats 사용

index="log_pd_com" uri_path IN (/pd/install, /pd/uninstall) 
| stats count by clientip, uri_path 
| rex field=uri_path "^/[^/]+/(?<path_type>.*)$" 
| eval inst_device = if(path_type="install", 1, NULL) 
| eval uninst_device = if(path_type="uninstall", 1, NULL) 
| stats values(inst_device) as inst_device values(uninst_device) as uninst_device by clientip 
| where inst_device=1

 

---

 

https://conf.splunk.com/files/2020/slides/TRU1761C.pdf

Stats 와 lookups 가 첫 번째 도구가 되어야 합니다.
Append/appendcols/join 및 transaction 은 최후의 수단이 되어야 합니다.

---

https://www.splunk.com/en_us/blog/tips-and-tricks/spl-with-no-joins.html