Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Search very slow

chengyu
Path Finder
‎05-12-2014 01:50 AM

Hi, my search:

I'm try fast mode but status the same, My Splunk OS 5.04.

Please help me, thanks.

index="xxx" srcip !="1.1.1.1" srcip != "2.2.2.2" srcip != "3.3.3.3" dstip != "111..." dstip !="112.1.1." dstip != "163.1.1." dstip != "10.1.1." | eval bandwidth=rcvdbyte+sentbyte | eval bandwidth(MB) = round(bandwidth/1024/1024,2) | strcat " " time " " as Date | eval n = coalesce(hostname, host_name) |strcat " " n url " " as weburl |stats sum(bandwidth(MB)) as bandwidth(MB) values(srcip) as srcip values(service) as service values(attack) as app last(Date) as FirstDate first(Date) as LastDate values(policyid) as policyid values(weburl) as weburl by dstip |sort 10 search srcip="123.123.123.123" |head 10

Tags (1)
0 Karma
Reply

MuS
SplunkTrust
SplunkTrust
‎05-12-2014 02:16 AM

Hi chengyu,

try to build the search command in a manner, that it will search for events you will need instead of excluding what you don't need. Change your provided search example like this:

index="xxx" srcip="123.123.123.123" dstip != "111..."  dstip !="112.1.1." dstip != "163.1.1." dstip != "10.1.1." | eval bandwidth=rcvdbyte+sentbyte | eval bandwidth(MB) = round(bandwidth/1024/1024,2) | strcat " " time " " as Date | eval n = coalesce(hostname, host_name) | strcat " " n url " " as weburl | stats sum(bandwidth(MB)) as bandwidth(MB) values(srcip) as srcip values(service) as service values(attack) as app last(Date) as FirstDate first(Date) as LastDate  values(policyid) as policyid values(weburl) as weburl by dstip | sort 10 |head 10

a note form the docs about search operators:

Note: Inclusion is generally better than exclusion. Searching for "access denied" will yield faster results than NOT "access granted".

You can go further and tune the dstip filters to reduce the !=

hope this helps ...

cheers, MuS

Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Network to App: Observability Unlocked [May & June Series]

In today’s digital landscape, your environment is no longer confined to the data center. It spans complex ...

SPL2 Deep Dives, AppDynamics Integrations, SAML Made Simple and Much More on Splunk ...

Splunk Lantern is Splunk’s customer success center that provides practical guidance from Splunk experts on key ...

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...