topic Re: Search strings in a different fields with different name under different indexes in Splunk Search

Search strings in a different fields with different name under different indexes

splunkerer — Wed, 14 Jul 2021 21:02:47 GMT

I have two indexes including command line arguments, one has field name arg, the other one has field name command, what is the best practice to search some strings on both fields under different indexes to create alert if matches.

index=A arg="*command_string_to_search*"
OR
index=B command="*command_string_to_search*"

How can we improve this search from performance standpoint?

Thanks,

Re: Search strings in a different fields with different name under different indexes

venkatasri — Wed, 14 Jul 2021 23:47:04 GMT

Hi @splunkerer

What you have written is fine as you have data in two different indexes. Fieldnames doesn't matter though they have common values as long as you have OR condition.

Couple of points to fine tune:

Try not to use leading wildcards, if you know upfront just give full value there instead to start with * and end with *
use fields command <your_search> | fields <field1> <field2> , this limits the processing of unnecessary fields hence impact on SH is minimal
if your fields arg, command are indexed fields try to see if you can use | tstats
If your SH pointed to various indexers ( pre-prod, prod etc) aka splunk_server field, if you upfront aware your indexer names then use splunk_server field

----

An upvote would be appreciated if this reply helps and Accept the solution!

Re: Search strings in a different fields with different name under different indexes

splunkerer — Thu, 15 Jul 2021 00:26:05 GMT

Thanks @venkatasri for all great recommendations.

I was thinking it may be useful to use rex in a field instead of using a couple of heavy string? what do you think on that?

| rex field=command "(string_1)|(string_2)|(string_3)|(strings_4)"

but the problem here is strings which will be searched can be anywhere of the field

Re: Search strings in a different fields with different name under different indexes

venkatasri — Thu, 15 Jul 2021 00:43:24 GMT

@splunkerer | rex is for field extractions not for search. What you have written originally that is self sufficient though the command/arg values are long it does job well when you follow field = "value" rather than doing raw search.

if you think the fields match many sourcetypes/source under index=A OR B then specify the sourcetype= , source= , host= (this is fundamental searching a whole index takes time) the more details you put in upfront to SPL then results would be narrowed down and faster.