https://community.splunk.com/t5/Deployment-Architecture/How-to-optimize-the-current-query/m-p/623895#M26444 <P><SPAN>Hi&nbsp;</SPAN></P> <P>hope you are doing good.</P> <P>im working on a use case which will trigger if any user is trying to connect from non business country.&nbsp;</P> <P>attaching the snap for the query.</P> <P>my query&nbsp;</P> <P>want to optimize it more if one user is trying is log in from more than 2-3 country than it will trigger.</P> <P>can you please help me with the query&nbsp;</P> <P>&nbsp;</P> <P>thanks&nbsp;</P> <P>debjit&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="75F75914-F270-48E1-BB99-2FE20B70A9E9.jpeg" style="width: 1591px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/22948iB2B3D6A27380C7E6/image-size/medium?v=v2&amp;px=400" role="button" title="75F75914-F270-48E1-BB99-2FE20B70A9E9.jpeg" alt="75F75914-F270-48E1-BB99-2FE20B70A9E9.jpeg" /></span></P> <P> </P> Fri, 16 Dec 2022 19:47:09 GMT debjit_k 2022-12-16T19:47:09Z https://community.splunk.com/t5/Deployment-Architecture/How-to-optimize-the-current-query/m-p/623895#M26444 <P><SPAN>Hi&nbsp;</SPAN></P> <P>hope you are doing good.</P> <P>im working on a use case which will trigger if any user is trying to connect from non business country.&nbsp;</P> <P>attaching the snap for the query.</P> <P>my query&nbsp;</P> <P>want to optimize it more if one user is trying is log in from more than 2-3 country than it will trigger.</P> <P>can you please help me with the query&nbsp;</P> <P>&nbsp;</P> <P>thanks&nbsp;</P> <P>debjit&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="75F75914-F270-48E1-BB99-2FE20B70A9E9.jpeg" style="width: 1591px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/22948iB2B3D6A27380C7E6/image-size/medium?v=v2&amp;px=400" role="button" title="75F75914-F270-48E1-BB99-2FE20B70A9E9.jpeg" alt="75F75914-F270-48E1-BB99-2FE20B70A9E9.jpeg" /></span></P> <P> </P> Fri, 16 Dec 2022 19:47:09 GMT https://community.splunk.com/t5/Deployment-Architecture/How-to-optimize-the-current-query/m-p/623895#M26444 debjit_k 2022-12-16T19:47:09Z https://community.splunk.com/t5/Deployment-Architecture/How-to-optimize-the-current-query/m-p/623898#M26445 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/243225">@debjit_k</a>,</P><P>the first possible optimization is to move the search "Keywords="*Audit Success*) in the main search and leave only the search for country at the end of the search.</P><P>Then, if possible, try a different string to search because to have asterisk at the beginning of a string isn't efficient.</P><P>Then what's the sense of use IP and other fields in a stats command and then dedup by IP, in this way you have a longer search and you loose (or not use) some information,</P><P>Then you could put iplocation command after the stats command.</P><P>so you could use a different stats:</P><LI-CODE lang="markup">index=sdp_siem_win (host=AZPLTADFS1 OR host=AZPLTADFS1) keywords="*Audit Success*) | rex "first regex" | rex "second regex" | stats values(Username) AS Username values(Keyword) AS Keyword values(EventCode) AS EventCode count BY IP | iplocation IP | search NOT [inputlookup SDP_Country.csv | dedup Country | fields Country] | table IP Country Username keyword EventCode count</LI-CODE><P>Next time, please, don't share your search using a screenshot but put it as text in a Code Sample window.</P><P>Ciao.</P><P>Giuseppe</P><P>&nbsp;</P> Sat, 10 Dec 2022 09:59:56 GMT https://community.splunk.com/t5/Deployment-Architecture/How-to-optimize-the-current-query/m-p/623898#M26445 gcusello 2022-12-10T09:59:56Z https://community.splunk.com/t5/Deployment-Architecture/How-to-optimize-the-current-query/m-p/623901#M26446 <P><SPAN>Hi&nbsp;</SPAN><A href="https://community.splunk.com/t5/user/viewprofilepage/user-id/161352" target="_blank" rel="noopener">@gcusello</A>,</P><P>&nbsp;</P><P>thank you for the updated query but im looking for a query which will only trigger if a single is log from 2 different country&nbsp;</P><P>&nbsp;</P><P>example</P><P>ip &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; user &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; country</P><P>10.0.0.0 &nbsp; &nbsp; &nbsp; debjit &nbsp; &nbsp; &nbsp; &nbsp; india</P><P>10.0.0.0 &nbsp; &nbsp; &nbsp; debjit &nbsp; &nbsp; &nbsp; &nbsp; japan&nbsp;</P><P>&nbsp;</P><P>can you please help me to fig out the above solution</P><P>&nbsp;</P><P>thanks</P><P>debjit</P> Sat, 10 Dec 2022 10:46:04 GMT https://community.splunk.com/t5/Deployment-Architecture/How-to-optimize-the-current-query/m-p/623901#M26446 debjit_k 2022-12-10T10:46:04Z https://community.splunk.com/t5/Deployment-Architecture/How-to-optimize-the-current-query/m-p/623902#M26447 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/243225">@debjit_k</a>,</P><P>please try something like this:</P><LI-CODE lang="markup">index=sdp_siem_win (host=AZPLTADFS1 OR host=AZPLTADFS1) keywords="*Audit Success*) | rex "first regex" | rex "second regex" | iplocation IP | search NOT [inputlookup SDP_Country.csv | dedup Country | fields Country] | stats values(IP) AS IP dc(Country) AS Country_count values(Country) AS Country BY Username | where Country_count&gt;1</LI-CODE><P>please, next time share your search as text!</P><P>Ciao.</P><P>Giuseppe</P> Sat, 10 Dec 2022 10:53:04 GMT https://community.splunk.com/t5/Deployment-Architecture/How-to-optimize-the-current-query/m-p/623902#M26447 gcusello 2022-12-10T10:53:04Z