If you’re coming to the Splunk user conference in Vegas, aka conf19, come see my talk – “Master Joining Your Datasets Without Using Join”! It’s on Thursday 10/24 10:30am.
If you use Splunk and you have any searches or reports that use the join, append, or transaction commands this is a talk for you. Likewise if you have “long-running” searches or reports, or heck if you run any searches with more than a few commands in them, you should come.
Because this is such a core thing in Splunk it’s the opposite of new and shiny but it’s still just as important as ever and it’s still a place in Splunk where it’s surprisingly easy to shoot yourself in the foot. I’ll essentially show how Splunk implements its distributed reporting and how the search language pushes the bulk of the reporting work out to the indexer nodes. I’ll also show how easy it is to go down the wrong roads, like using join and append when you shouldn’t, and how to troubleshoot and fix things when you do.
I hope to see you there!
ALSO on a higher level, if you’ve been wishing there was more technical content at .conf, this is one of just 5 special talks that have been selected by the Splunk Community, that is kind of a new thing at conf this year. So if you’ve been wishing for more technical content — vote with your feet! register for these talks, come to them, and if you like them we’ll keep this ball rolling and get even more technical content into the conference next year!
Last but not least, while I’m plugging excellent technical things at conf, I can’t resist also plugging Martin Müller’s talk as well about fields and indexed tokens.