https://community.splunk.com/t5/Splunk-Search/Search-never-finishes/m-p/42226#M179037 <P>I'm trying to run a search for a large number (45) of suspect IP addresses. The search runs for 12 hours or more but never returns any results, and on the jobs page always shows "Running (0%)". </P> <P>earliest=06/01/2011:0:0:0 NOT deny ("112.64.161.162" OR "113.142.9.125" OR "118.102.252.227" OR . . . ) |outputcsv 201107111.csv</P> <P>Using outputcsv because I'm expecting more than 10K results based on individual searches on some of the addresses. </P> <P>I know this is an inefficient and expensive search, but it seems that it should eventually complete.</P> Wed, 13 Jul 2011 17:46:53 GMT rgcox1 2011-07-13T17:46:53Z https://community.splunk.com/t5/Splunk-Search/Search-never-finishes/m-p/42226#M179037 <P>I'm trying to run a search for a large number (45) of suspect IP addresses. The search runs for 12 hours or more but never returns any results, and on the jobs page always shows "Running (0%)". </P> <P>earliest=06/01/2011:0:0:0 NOT deny ("112.64.161.162" OR "113.142.9.125" OR "118.102.252.227" OR . . . ) |outputcsv 201107111.csv</P> <P>Using outputcsv because I'm expecting more than 10K results based on individual searches on some of the addresses. </P> <P>I know this is an inefficient and expensive search, but it seems that it should eventually complete.</P> Wed, 13 Jul 2011 17:46:53 GMT https://community.splunk.com/t5/Splunk-Search/Search-never-finishes/m-p/42226#M179037 rgcox1 2011-07-13T17:46:53Z https://community.splunk.com/t5/Splunk-Search/Search-never-finishes/m-p/42227#M179038 <P>If you run the search on the cli, does it behave any differently?</P> Wed, 13 Jul 2011 18:03:31 GMT https://community.splunk.com/t5/Splunk-Search/Search-never-finishes/m-p/42227#M179038 jbsplunk 2011-07-13T18:03:31Z https://community.splunk.com/t5/Splunk-Search/Search-never-finishes/m-p/42228#M179039 <P>Comes back in about 10 seconds with no results when run with search command and saved search. When run with the full search string via the dispatch command . . . still processing. I see on the jobs page that "| head 100 | export" has been added to the search? Will post results tomorrow or when finished.</P> Wed, 13 Jul 2011 19:04:35 GMT https://community.splunk.com/t5/Splunk-Search/Search-never-finishes/m-p/42228#M179039 rgcox1 2011-07-13T19:04:35Z https://community.splunk.com/t5/Splunk-Search/Search-never-finishes/m-p/42229#M179040 <P>Run from the cli without the outputcsv pipe, the search finishes in a few minutes, but results are incomplete due to the "head 100" that is appended by dispatch.<BR /><BR /> With the outputcsv pipe the search has now run 14 hours with no results.</P> Thu, 14 Jul 2011 14:14:55 GMT https://community.splunk.com/t5/Splunk-Search/Search-never-finishes/m-p/42229#M179040 rgcox1 2011-07-14T14:14:55Z https://community.splunk.com/t5/Splunk-Search/Search-never-finishes/m-p/42230#M179041 <P>A guy I work with changed the ("IP....s") to the next stage and did a regex he was fortunate that all his IPs where near the same area.</P> <PRE><CODE>&lt;search&gt; | regex _raw="10.(8.(43.5|52.4)|9.(232.4|144.(4|33))" | &lt;presentation&gt; </CODE></PRE> <P>he is good with RegEx and the above is easy to add an remove, for those who can read it.</P> Thu, 21 Jul 2011 20:36:29 GMT https://community.splunk.com/t5/Splunk-Search/Search-never-finishes/m-p/42230#M179041 fk319 2011-07-21T20:36:29Z