Archive

Search never finishes

Communicator

I'm trying to run a search for a large number (45) of suspect IP addresses. The search runs for 12 hours or more but never returns any results, and on the jobs page always shows "Running (0%)".

earliest=06/01/2011:0:0:0 NOT deny ("112.64.161.162" OR "113.142.9.125" OR "118.102.252.227" OR . . . ) |outputcsv 201107111.csv

Using outputcsv because I'm expecting more than 10K results based on individual searches on some of the addresses.

I know this is an inefficient and expensive search, but it seems that it should eventually complete.

Tags (1)
0 Karma

Builder

A guy I work with changed the ("IP....s") to the next stage and did a regex he was fortunate that all his IPs where near the same area.

<search> | regex _raw="10.(8.(43.5|52.4)|9.(232.4|144.(4|33))" | <presentation>

he is good with RegEx and the above is easy to add an remove, for those who can read it.

0 Karma

Communicator

Run from the cli without the outputcsv pipe, the search finishes in a few minutes, but results are incomplete due to the "head 100" that is appended by dispatch.

With the outputcsv pipe the search has now run 14 hours with no results.

0 Karma

Communicator

Comes back in about 10 seconds with no results when run with search command and saved search. When run with the full search string via the dispatch command . . . still processing. I see on the jobs page that "| head 100 | export" has been added to the search? Will post results tomorrow or when finished.

0 Karma

Splunk Employee
Splunk Employee

If you run the search on the cli, does it behave any differently?

0 Karma