https://community.splunk.com/t5/Splunk-Search/Most-efficient-alot-of-smaller-searches-or-one-large-one/m-p/105175#M27275 <P>The single search is most probably the most efficient one.</P> Thu, 16 Dec 2010 03:20:26 GMT ziegfried 2010-12-16T03:20:26Z https://community.splunk.com/t5/Splunk-Search/Most-efficient-alot-of-smaller-searches-or-one-large-one/m-p/105174#M27274 <P>Trying to find out what is most efficient in this scenario resource/time wise.</P> <P>We want to do a search across the last 90 days that looks for sshd and matching a user, to look for logins.</P> <P>Is it better to loop over a user list inputting a search for each user separately as 'earliest=-90d sshd user=$var_user' one at a time or to do one search with all the users OR'ed like so 'earliest=-90d sshd (user=$var_user OR user=$var_user1 OR....)'?</P> <P>This is in the context of the user list being hundreds of users long. So are hundreds of stacked up long-length single-term searches better than lots and lots of ORs across the same time range in a single search.</P> <P>Thoughts?</P> <P>Scott</P> Thu, 16 Dec 2010 02:57:52 GMT https://community.splunk.com/t5/Splunk-Search/Most-efficient-alot-of-smaller-searches-or-one-large-one/m-p/105174#M27274 skippylou 2010-12-16T02:57:52Z https://community.splunk.com/t5/Splunk-Search/Most-efficient-alot-of-smaller-searches-or-one-large-one/m-p/105175#M27275 <P>The single search is most probably the most efficient one.</P> Thu, 16 Dec 2010 03:20:26 GMT https://community.splunk.com/t5/Splunk-Search/Most-efficient-alot-of-smaller-searches-or-one-large-one/m-p/105175#M27275 ziegfried 2010-12-16T03:20:26Z