https://community.splunk.com/t5/Splunk-Dev/Search-Query-Optimizing/m-p/745143#M11906 <P>Optimising this will depend on your data. Using subsearches with lookups can be expensive and using NOT with subsearches, even more so.</P><P>Depending on the volume of entries in those lookups you will be better off using a lookup, e.g.</P><LI-CODE lang="markup">index:: rasp_ NOT ( forwarded_for="140.108.26.152" OR forwarded_for="" OR forwarded_for="10.*" OR forwarded_for=null) app!="" app!="\"*\"" app!="VASTID*" host!="10.215*" host!="ip-10-*" host!="carogngsa*" host!="carogngta*" host!="carofuzedd** host!="*ebiz*" host!="echo*" host!="not logged" host!="onm*" host!="tfnm*" host!="voip*" host!="wfm*" category!="Config*" category!="Depend*" category!="Stat*" category!="Large*" category!="Uncaught*" category!="Unvalidated Redirect" category!="License" category!="*Parse*" action=* | lookup Scanners_Ext.csv forwarded_for OUTPUT forwarded_for as found | where isnull(found) | lookup Scanners_Int.csv ip_addr as forwarded_for OUTPUT ip_addr as found | where isnull(found) | lookup vz_nets.csv netblock as forwarded_for OUTPUT netblock as found | where isnull(found) | stats count</LI-CODE><P>so the static NOT statement and other != comparisons is part of the search and then you do each lookup in turn and if it's found then it will be discarded.</P><P>The order of the 3 lookups would be in likely match count order, so the first lookup should be done that would be expected to reduce the event count by the max, and so on.</P><P>Using NOT or all your != wildcard searches at the beginning will be somewhat expensive, you can use TERM() to reduce data scan count, but that requires knowing your data well.</P><P>&nbsp;</P> Tue, 29 Apr 2025 04:21:23 GMT bowesmana 2025-04-29T04:21:23Z https://community.splunk.com/t5/Splunk-Dev/Search-Query-Optimizing/m-p/745125#M11905 <P>Please help me to Optimize this Splunk Query</P><PRE>index:: rasp_<BR /><BR />NOT [inputlookup Scanners_Ext.csv | fields forwarded_for]<BR /><BR />NOT [inputlookup Scanners_Int.csv | rename ip_addr AS forwarded_for | fields forwarded_for]<BR /><BR />NOT [inputlookup vz_nets.csv | rename netblock AS forwarded_for | fields forwarded_for]<BR /><BR />NOT (forwarded_for="140.108.26.152" OR forwarded_for="" OR forwarded_for="10.*" OR forwarded_for=null) app!="" app!="\"*\"" app!="VASTID*" host!="10.215*" host!="ip-10-*" host!="carogngsa*" host!="carogngta*" host!="carofuzedd** host!="*ebiz*" host!="echo*" host!="not logged" host!="onm*" host!="tfnm*" host!="voip*" host!="wfm*" category!="Config*" category!="Depend*" category!="Stat*" category!="Large*" category!="Uncaught*" category!="Unvalidated Redirect" category!="License" category!="*Parse*" action=*<BR /><BR />| stats count</PRE> Mon, 28 Apr 2025 21:08:47 GMT https://community.splunk.com/t5/Splunk-Dev/Search-Query-Optimizing/m-p/745125#M11905 kunalsingh 2025-04-28T21:08:47Z https://community.splunk.com/t5/Splunk-Dev/Search-Query-Optimizing/m-p/745143#M11906 <P>Optimising this will depend on your data. Using subsearches with lookups can be expensive and using NOT with subsearches, even more so.</P><P>Depending on the volume of entries in those lookups you will be better off using a lookup, e.g.</P><LI-CODE lang="markup">index:: rasp_ NOT ( forwarded_for="140.108.26.152" OR forwarded_for="" OR forwarded_for="10.*" OR forwarded_for=null) app!="" app!="\"*\"" app!="VASTID*" host!="10.215*" host!="ip-10-*" host!="carogngsa*" host!="carogngta*" host!="carofuzedd** host!="*ebiz*" host!="echo*" host!="not logged" host!="onm*" host!="tfnm*" host!="voip*" host!="wfm*" category!="Config*" category!="Depend*" category!="Stat*" category!="Large*" category!="Uncaught*" category!="Unvalidated Redirect" category!="License" category!="*Parse*" action=* | lookup Scanners_Ext.csv forwarded_for OUTPUT forwarded_for as found | where isnull(found) | lookup Scanners_Int.csv ip_addr as forwarded_for OUTPUT ip_addr as found | where isnull(found) | lookup vz_nets.csv netblock as forwarded_for OUTPUT netblock as found | where isnull(found) | stats count</LI-CODE><P>so the static NOT statement and other != comparisons is part of the search and then you do each lookup in turn and if it's found then it will be discarded.</P><P>The order of the 3 lookups would be in likely match count order, so the first lookup should be done that would be expected to reduce the event count by the max, and so on.</P><P>Using NOT or all your != wildcard searches at the beginning will be somewhat expensive, you can use TERM() to reduce data scan count, but that requires knowing your data well.</P><P>&nbsp;</P> Tue, 29 Apr 2025 04:21:23 GMT https://community.splunk.com/t5/Splunk-Dev/Search-Query-Optimizing/m-p/745143#M11906 bowesmana 2025-04-29T04:21:23Z