https://community.splunk.com/t5/Splunk-Search/A-more-efficient-query/m-p/52636#M12801 <P>It will not just shorten it, most of all it will make it faster, because the <CODE>search</CODE> command will not have to retrieve as many items from disk just to send them off to <CODE>where</CODE> which will just discard lots of them.</P> <P>If you have that many CIDR blocks, I'd advise you to use a lookup table (they can do CIDR matches as well) - not that I think it'll make any difference performance-wise, but the query will obviously not become two miles long <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> Mon, 03 Dec 2012 22:51:07 GMT Ayn 2012-12-03T22:51:07Z https://community.splunk.com/t5/Splunk-Search/A-more-efficient-query/m-p/52633#M12798 <P>One of our users has beought forth the following question:</P> <P>I would like to be able to determine if IP Addresses from China are attempting to hit one or more of our servers. I have a list IP ranges for China in CIDR Notation, to the tune of 3400+, ranges. I have figured out how to make a query using the cidrmatch function, but I am afraid that a query of this nature may cause a severe negative impact on the performance of our Splunk environment.</P> <P>The basics of the query that I have put together are:</P> <P>host=myhost AND error_code-12345 | where (cidrmatch("cidrblk1/24", src) OR cidrmatch("cidrblk2/17", src) OR cidrmatch("cidrblk3/19", src) OR...)</P> <P>Is there a better, more efficient way, "SAFER" way to handle this?</P> <P>Is there a better way to handle this?</P> Mon, 03 Dec 2012 21:05:28 GMT https://community.splunk.com/t5/Splunk-Search/A-more-efficient-query/m-p/52633#M12798 ddebevec 2012-12-03T21:05:28Z https://community.splunk.com/t5/Splunk-Search/A-more-efficient-query/m-p/52634#M12799 <P>The <CODE>search</CODE> command can handle CIDR blocks directly, so there's no need to use a separate <CODE>where</CODE> clause there. That will also speed things up.</P> <PRE><CODE>host=myhost AND error_code=12345 AND (src=cidrblk1/24 OR src=cidrblk2/17 OR ...) </CODE></PRE> <P>Note also that the MAXMIND app is pretty good for when you want to perform geolocation searches like this. You'll find it here: <A href="http://splunk-base.splunk.com/apps/22282/geo-location-lookup-script-powered-by-maxmind">http://splunk-base.splunk.com/apps/22282/geo-location-lookup-script-powered-by-maxmind</A></P> Mon, 03 Dec 2012 21:24:07 GMT https://community.splunk.com/t5/Splunk-Search/A-more-efficient-query/m-p/52634#M12799 Ayn 2012-12-03T21:24:07Z https://community.splunk.com/t5/Splunk-Search/A-more-efficient-query/m-p/52635#M12800 <P>Ayn, Thanks for the reply. I am actually the per who asked this question of ddebevec. That will shortent eh actual text of the query. I am looking to see if this is the mst efficient way to do this, or is there another means? The query would still have 3400+ items. Would something like the following severly impact the performance of the server?</P> <P>host=myhost AND error_code=12345 AND (src=cidrblk1/24 OR src=cidrblk2/17 OR ... src=cidrblk1142/24 OP ... OR src=cidrblk2237/15 OR ... OR src=cidrblk3447/23)</P> <P>Is ther ea way to use a table or some other construct?</P> Mon, 03 Dec 2012 22:42:00 GMT https://community.splunk.com/t5/Splunk-Search/A-more-efficient-query/m-p/52635#M12800 cmbarber 2012-12-03T22:42:00Z https://community.splunk.com/t5/Splunk-Search/A-more-efficient-query/m-p/52636#M12801 <P>It will not just shorten it, most of all it will make it faster, because the <CODE>search</CODE> command will not have to retrieve as many items from disk just to send them off to <CODE>where</CODE> which will just discard lots of them.</P> <P>If you have that many CIDR blocks, I'd advise you to use a lookup table (they can do CIDR matches as well) - not that I think it'll make any difference performance-wise, but the query will obviously not become two miles long <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> Mon, 03 Dec 2012 22:51:07 GMT https://community.splunk.com/t5/Splunk-Search/A-more-efficient-query/m-p/52636#M12801 Ayn 2012-12-03T22:51:07Z