https://community.splunk.com/t5/Splunk-Search/What-alternatives-can-I-use-for-my-search-instead-of-a-subsearch/m-p/265540#M79795 <P>Sub searches are really expensive searches and they have limits; You can most likely replace it with a <CODE>stats</CODE>, <CODE>streamstats</CODE> or <CODE>eventstats</CODE> search. Read more here:</P> <P><A href="https://answers.splunk.com/answers/129424/how-to-compare-fields-over-multiple-sourcetypes-without-join-append-or-use-of-subsearches.html">https://answers.splunk.com/answers/129424/how-to-compare-fields-over-multiple-sourcetypes-without-join-append-or-use-of-subsearches.html</A></P> <P>cheers, MuS</P> Wed, 03 Feb 2016 13:55:02 GMT MuS 2016-02-03T13:55:02Z https://community.splunk.com/t5/Splunk-Search/What-alternatives-can-I-use-for-my-search-instead-of-a-subsearch/m-p/265534#M79789 <P>Hi,</P> <P>I am facing a subsearch performance problem. My goal is to have Bluecoat events filtered only to specific IP's coming from my firewall and having as a result the URL accessed by each IP.</P> <P>My search looks like this:</P> <PRE><CODE>index = bluecoat [search index=checkpoint rule=rule1 OR rule=rule2 AND rule_uid=id1 OR rule_uid=id2 OR rule_uid=id3 OR rule_uid=id4 |fields src_ip | lookup dnslookup clienthost as src_ip output clientip as src_ip | dedup src_ip | table src_ip] | stats values(URL) by src_ip </CODE></PRE> <P>Now I found a couple of alternative suggestions to use eventstats or similar to prevent the subsearch, but wasn't able to create it by myself. Can anyone help to point me to the right direction?</P> Wed, 03 Feb 2016 12:34:47 GMT https://community.splunk.com/t5/Splunk-Search/What-alternatives-can-I-use-for-my-search-instead-of-a-subsearch/m-p/265534#M79789 kseidenschnur_s 2016-02-03T12:34:47Z https://community.splunk.com/t5/Splunk-Search/What-alternatives-can-I-use-for-my-search-instead-of-a-subsearch/m-p/265535#M79790 <P>Hi! I was trying to reproduce your search in my Splunk system, but I don't understand what you want to do here:</P> <P>| lookup dnslookup clienthost as src_ip output clientip as src_ip | dedup src_ip | table src_ip</P> <P>Could you epxlain it please?<BR /> Thanks!</P> Tue, 29 Sep 2020 08:38:55 GMT https://community.splunk.com/t5/Splunk-Search/What-alternatives-can-I-use-for-my-search-instead-of-a-subsearch/m-p/265535#M79790 marina_rovira 2020-09-29T08:38:55Z https://community.splunk.com/t5/Splunk-Search/What-alternatives-can-I-use-for-my-search-instead-of-a-subsearch/m-p/265536#M79791 <P>The checkpoint is only logging DNS names, therefore I am changing the DNS names into IP addresses and writing them into the same field. Since I can have multiple IP addresses I am doing a dedup and the use the result as the filter in the outer search.</P> <P>To get this clear, the search is running fine! But since the result of the inner search has about 900 IP adresses the whole search takes ages. I am looking for a way to get this running more efficient....</P> Wed, 03 Feb 2016 13:13:05 GMT https://community.splunk.com/t5/Splunk-Search/What-alternatives-can-I-use-for-my-search-instead-of-a-subsearch/m-p/265536#M79791 kseidenschnur_s 2016-02-03T13:13:05Z https://community.splunk.com/t5/Splunk-Search/What-alternatives-can-I-use-for-my-search-instead-of-a-subsearch/m-p/265537#M79792 <P>I also discussed the possibility to have the inner search written into a lookup table on a regular base and then using the lookup table for the outer search. Should be much faster... But I was wondering if there is a better solution.</P> Wed, 03 Feb 2016 13:24:18 GMT https://community.splunk.com/t5/Splunk-Search/What-alternatives-can-I-use-for-my-search-instead-of-a-subsearch/m-p/265537#M79792 kseidenschnur_s 2016-02-03T13:24:18Z https://community.splunk.com/t5/Splunk-Search/What-alternatives-can-I-use-for-my-search-instead-of-a-subsearch/m-p/265538#M79793 <P>Maybe you can try to not doing a subsearch and just put thw two index with an OR condition</P> <P>index = bluecoat OR index=checkpoint rule=rule1 OR rule=rule2 AND rule_uid=id1 OR rule_uid=id2 OR rule_uid=id3 OR rule_uid=id4 | lookup dnslookup clienthost as src_ip output clientip as src_ip | dedup src_ip | stats values(URL) by src_ip</P> <P>I'm not sure about it, but just trying to give some useful ideas, maybe the inspiration will appear <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> Tue, 29 Sep 2020 08:39:00 GMT https://community.splunk.com/t5/Splunk-Search/What-alternatives-can-I-use-for-my-search-instead-of-a-subsearch/m-p/265538#M79793 marina_rovira 2020-09-29T08:39:00Z https://community.splunk.com/t5/Splunk-Search/What-alternatives-can-I-use-for-my-search-instead-of-a-subsearch/m-p/265539#M79794 <P>Wow, I didn't read your second comment, let me try it on my system, maybe I can find something</P> Wed, 03 Feb 2016 13:39:49 GMT https://community.splunk.com/t5/Splunk-Search/What-alternatives-can-I-use-for-my-search-instead-of-a-subsearch/m-p/265539#M79794 marina_rovira 2016-02-03T13:39:49Z https://community.splunk.com/t5/Splunk-Search/What-alternatives-can-I-use-for-my-search-instead-of-a-subsearch/m-p/265540#M79795 <P>Sub searches are really expensive searches and they have limits; You can most likely replace it with a <CODE>stats</CODE>, <CODE>streamstats</CODE> or <CODE>eventstats</CODE> search. Read more here:</P> <P><A href="https://answers.splunk.com/answers/129424/how-to-compare-fields-over-multiple-sourcetypes-without-join-append-or-use-of-subsearches.html">https://answers.splunk.com/answers/129424/how-to-compare-fields-over-multiple-sourcetypes-without-join-append-or-use-of-subsearches.html</A></P> <P>cheers, MuS</P> Wed, 03 Feb 2016 13:55:02 GMT https://community.splunk.com/t5/Splunk-Search/What-alternatives-can-I-use-for-my-search-instead-of-a-subsearch/m-p/265540#M79795 MuS 2016-02-03T13:55:02Z https://community.splunk.com/t5/Splunk-Search/What-alternatives-can-I-use-for-my-search-instead-of-a-subsearch/m-p/265541#M79796 <P>Actually I was trying things like that! <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span> </P> Wed, 03 Feb 2016 13:56:20 GMT https://community.splunk.com/t5/Splunk-Search/What-alternatives-can-I-use-for-my-search-instead-of-a-subsearch/m-p/265541#M79796 marina_rovira 2016-02-03T13:56:20Z https://community.splunk.com/t5/Splunk-Search/What-alternatives-can-I-use-for-my-search-instead-of-a-subsearch/m-p/265542#M79797 <P>Try something like,</P> <PRE><CODE>index = bluecoat OR (index=checkpoint rule=rule1 OR rule=rule2 AND rule_uid=id1 OR rule_uid=id2 OR rule_uid=id3 OR rule_uid=id4) |lookup dnslookup clienthost as src_ip output clientip as src_ip |eval flag=if(index=="checkpoint ",1,0)|dedup index,src_ip,flag|eventstats count by src_ip|where count &gt;1|stats values(URL) by src_ip </CODE></PRE> <UL> <LI>Search both indexes Lookup clienthost (assuming clienthost is only on checkpoint) </LI> <LI>Set a flag to distinguish between two indexes dedup based on index ip and flag(this will make sure that it deletes only duplicate ips from respective indexes only)</LI> <LI>eventstats will find duplicates ie ; common ips from both indexes </LI> <LI>Finally aggregate those values</LI> </UL> <P>You might need to adjust based on your events</P> Wed, 03 Feb 2016 14:18:14 GMT https://community.splunk.com/t5/Splunk-Search/What-alternatives-can-I-use-for-my-search-instead-of-a-subsearch/m-p/265542#M79797 renjith_nair 2016-02-03T14:18:14Z