All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Splice searches running really slow

theouhuios
Motivator
‎04-10-2015 08:02 AM

Hello

We are running some splice searches to match on IOC's and they seem to be running very slow. We have a hybrid Splunk deployment with Indexers in Cloud and the Splice Search Head running ON Prem. Because of this we use |localop| in our searches so that Splice fetches all required components from the Search Head itself. Would this be a reason on why the searches run slow.

I am passing on an average about 400k events for a 10 min interval search if the search runs between 9 AM - 5PM. It takes about 20 min+ for splice to complete that search. Sometimes it just hangs up. Because of this its doesn't run on the schedule interval. Did anyone face the same issue?

The number of IOC's in Splice Mongo DB is about 115k now. We see the same slowness even when mongo db had only 40k records.

Has anyone faced this issue before. Any help would be appreciated.

Tags (1)
0 Karma
Reply

cleroux_splunk
Splunk Employee
Splunk Employee
‎04-13-2015 02:07 AM

SPLICE is a prototype and as any prototype, there are some limitations. One workaround would be to use the iocexportcsv command to create CSV lists of technical indicators that you would after refer via lookups or ES Threat List. And yes the command localop retrieve all the data the process it on the SH.

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Lantern | Getting Started with Edge Processor, Machine Learning Toolkit ...

Splunk Lantern is Splunk’s customer success center that provides advice from Splunk experts on valuable data ...

Enterprise Security Content Update (ESCU) | New Releases

In the last month, the Splunk Threat Research Team (STRT) has had 2 releases of new security content via the ...

Announcing the 1st Round Champion’s Tribute Winners of the Great Resilience Quest

We are happy to announce the 20 lucky questers who are selected to be the first round of Champion's Tribute ...