https://community.splunk.com/t5/Splunk-Enterprise-Security/Improve-search-performance/m-p/579294#M10502 <P>Hi All,</P><P>I need to improve the performance of my below search, which currently completes in about 132sec. The search looks for last 7 days data from firewall logs.&nbsp;</P><P>Search:</P><P>index="xxx" src_ip !="a.b.c.d/26" src_ip !="x.y.z.w/26" src_zone!=ABCD src_zone!=ABCDE (dest_zone = "ABCD" OR (dvc_name IN ("qwerty","abcd","xyz","asdf") AND dest_zone="XYZ")) app IN (ldap,rmi-iiop) | lookup some_lookup ip as src_ip OUTPUT matched | search matched!="yes" | stats count by src_ip,action,date_mday | stats count by src_ip,action | search (action=allowed OR (action=blocked AND count&gt;1))</P><P>&nbsp;</P><P>Thanks in advance.</P><P>Regards,</P><P>Shaquib</P> Mon, 27 Dec 2021 10:13:20 GMT shaquibk 2021-12-27T10:13:20Z https://community.splunk.com/t5/Splunk-Enterprise-Security/Improve-search-performance/m-p/579294#M10502 <P>Hi All,</P><P>I need to improve the performance of my below search, which currently completes in about 132sec. The search looks for last 7 days data from firewall logs.&nbsp;</P><P>Search:</P><P>index="xxx" src_ip !="a.b.c.d/26" src_ip !="x.y.z.w/26" src_zone!=ABCD src_zone!=ABCDE (dest_zone = "ABCD" OR (dvc_name IN ("qwerty","abcd","xyz","asdf") AND dest_zone="XYZ")) app IN (ldap,rmi-iiop) | lookup some_lookup ip as src_ip OUTPUT matched | search matched!="yes" | stats count by src_ip,action,date_mday | stats count by src_ip,action | search (action=allowed OR (action=blocked AND count&gt;1))</P><P>&nbsp;</P><P>Thanks in advance.</P><P>Regards,</P><P>Shaquib</P> Mon, 27 Dec 2021 10:13:20 GMT https://community.splunk.com/t5/Splunk-Enterprise-Security/Improve-search-performance/m-p/579294#M10502 shaquibk 2021-12-27T10:13:20Z https://community.splunk.com/t5/Splunk-Enterprise-Security/Improve-search-performance/m-p/579295#M10503 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/236314">@shaquibk</a>,</P><P>You can try below, I changed lookup method;</P><LI-CODE lang="markup">index="xxx" src_ip !="a.b.c.d/26" src_ip !="x.y.z.w/26" src_zone!=ABCD src_zone!=ABCDE (dest_zone = "ABCD" OR (dvc_name IN ("qwerty","abcd","xyz","asdf") AND dest_zone="XYZ")) app IN (ldap,rmi-iiop) [| inputlookup some_lookup | fields ip | rename ip as src_ip | format ] | stats count by src_ip,action,date_mday | stats count by src_ip,action | search (action=allowed OR (action=blocked AND count&gt;1))</LI-CODE><P>&nbsp;</P> Mon, 27 Dec 2021 10:52:00 GMT https://community.splunk.com/t5/Splunk-Enterprise-Security/Improve-search-performance/m-p/579295#M10503 scelikok 2021-12-27T10:52:00Z https://community.splunk.com/t5/Splunk-Enterprise-Security/Improve-search-performance/m-p/579365#M10504 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/206061">@scelikok</a>&nbsp;</P><P>The below method somehow doesn't return any results at all.</P><P>Thanks,</P><P>Shaquib</P> Tue, 28 Dec 2021 09:44:57 GMT https://community.splunk.com/t5/Splunk-Enterprise-Security/Improve-search-performance/m-p/579365#M10504 shaquibk 2021-12-28T09:44:57Z https://community.splunk.com/t5/Splunk-Enterprise-Security/Improve-search-performance/m-p/579370#M10505 <P>Hi</P><P>maybe you should use this&nbsp;<A href="https://docs.splunk.com/Documentation/CIM/5.0.0/User/Overview" target="_blank">https://docs.splunk.com/Documentation/CIM/5.0.0/User/Overview</A>&nbsp;with data model acceleration? There is&nbsp;<A href="https://docs.splunk.com/Documentation/CIM/5.0.0/User/NetworkTraffic" target="_blank">https://docs.splunk.com/Documentation/CIM/5.0.0/User/NetworkTraffic</A>&nbsp;for this kind of use.</P><P>r. Ismo</P> Tue, 28 Dec 2021 10:48:06 GMT https://community.splunk.com/t5/Splunk-Enterprise-Security/Improve-search-performance/m-p/579370#M10505 isoutamo 2021-12-28T10:48:06Z