topic Re: Optimize my search in Splunk Search

Optimize my search

Mai_splunk — Mon, 19 Oct 2020 21:12:59 GMT

Re: Optimize my search

to4kawa — Mon, 19 Oct 2020 21:28:31 GMT

index=xxxx ( type=utm action=blocked ) OR ( type=traffic action=allowed )| stats count dc(action) as flag by srcip | where flag=2

Re: Optimize my search

Richfez — Mon, 19 Oct 2020 21:31:02 GMT

It could be as simple as this:

index=fw ((type=utm action=blocked) OR (type=traffic action=allowed)) | stats count by srcip

But probably you'll want something a bit more like

index=fw ((type=utm action=blocked) OR (type=traffic action=allowed)) | stats dc(action) as has_both by srcip | search has_both>1

There's actually more possible optimization (especially if srcip is an index time field), but that's going to cut nine hundred percent off your search, I would think, and nine million percent off the search if it's actually *big*.

Re: Optimize my search

Mai_splunk — Mon, 19 Oct 2020 22:08:58 GMT

Thanks so much, it's exactly that i want!

One more doubt, now, How I can reduce the serarch only a public IP? I'm trying this:

srcip!="10.*" AND srcip<"172.16.*" AND srcip>"172.31.*" AND srcip!="192.168.*"

but in the 3th parameter i get any results.

Re: Optimize my search

Richfez — Mon, 19 Oct 2020 22:25:40 GMT

I'd use CIDR notation and see if it gets you farther:

srcip=10.0.0.0/8 OR srcip=172.16.0.0/16

If you want ONLY public IPs, it'd be something like

srcip!=10.0.0.0/8 AND srcip!=172.16.0.0/12 AND srcip!=192.168.0.0/16

That should work. I don't believe wildcards and quotes trigger the real CIDR ... "stuff" in Splunk to search on, but the above should do it.

Re: Optimize my search

Mai_splunk — Mon, 19 Oct 2020 22:31:26 GMT

Thanks so much @Richfez you have been a great help.

Take care.