Building for the Splunk Platform

Reverse searching

polymorphic
Communicator

I need to find the very first occurence of data received with a specific field id.

I have this search which does the job:

sourcetype=stats device_id=94 | stats last(FileTime)

But Splunk searches from the newest event received to the oldest event received, which means that the search will take very long time to finish. (262 seconds)
And at this point we only have 3 month of data stored.
When we have 14 month of data stored (which we need) this will obviously be even more time consuming.

Is there any way to make Splunk search in reverse order?
And then stop searching when result is found?

Tags (1)
0 Karma

Drainy
Champion

Why use stats, why not just use;

sourcetype=stats device_id=94 FileTime=* | tail 1

Also, if you're looking to do these sorts of searches over longer time periods then it would be worth looking at summary indexing to start taking summarisation data to save time in the future;

http://docs.splunk.com/Documentation/Splunk/5.0/Knowledge/Usesummaryindexing

0 Karma

Drainy
Champion

In that case there isn't much you can do I'm afraid, thats imply how Splunk searches. stats last will be the best option if you're in a distributed environment.

0 Karma

polymorphic
Communicator

Thanks for the answer.
However, the search suggested is just as time consuming as mine, but delivers even more information which i dont need.

I agree that summary indexing could be a way to go, but i just think that it would be more efficient, to do the search "backwards" instead.

0 Karma
Get Updates on the Splunk Community!

The Splunk Success Framework: Your Guide to Successful Splunk Implementations

Splunk Lantern is a customer success center that provides advice from Splunk experts on valuable data ...

Splunk Training for All: Meet Aspiring Cybersecurity Analyst, Marc Alicea

Splunk Education believes in the value of training and certification in today’s rapidly-changing data-driven ...

Investigate Security and Threat Detection with VirusTotal and Splunk Integration

As security threats and their complexities surge, security analysts deal with increased challenges and ...