Dashboards & Visualizations

How do I write my search to give fast results when setting the time range picker to last 7 days?

splunker969
Communicator

When Run below Search in a Fast mode for last 7 days it is taking Time more than 60 minutes which is giving results and still taking time? Is there a way that I can modify my search to get results in lesser Time? Please help?

Search =

index=pan_logs OR index=cisco_395
(sourcetype="test" OR sourcetype="test2" OR sourcetype="test3") 
 (dest="a" OR dest="b" OR dest="c" OR dest= "d" OR dest="e" OR dest="f"  )
| lookup test.csv IP as src
| search PCI=y 
| dedup  dest_port src dest host rule
| table _time dest_port src dest host rule action

woodcock
Esteemed Legend

Like this:

index=pan_logs OR index=cisco_395
AND (sourcetype="test" OR sourcetype="test2" OR sourcetype="test3") 
AND (dest="a" OR dest="b" OR dest="c" OR dest= "d" OR dest="e" OR dest="f" )
AND [inputlookup test.csv | search PCI="y" | table IP | rename IP AS src]
| stats first(_time) AS _time first(action) AS action BY dest_port src dest host rule

splunker969
Communicator

Hi woodCook

Thanks for replying query gives results sorry still taking time

0 Karma

woodcock
Esteemed Legend

Show me the results of your existing search.

0 Karma

splunker969
Communicator

For security, I cannot share results.I am getting results with search that I posted Woodcock.
Since taking lot of time even now still it is running 58 of 135,845,039 events matched

0 Karma

woodcock
Esteemed Legend

Try adding this above the | stats:

| fillnull dest_port src dest host rule
0 Karma

somesoni2
SplunkTrust
SplunkTrust

Try this (assuming all fields dest_port src dest host rule action, appear in your main data).

index=pan_logs OR index=cisco_395
(sourcetype="test" OR sourcetype="test2" OR sourcetype="test3") 
(dest="a" OR dest="b" OR dest="c" OR dest= "d" OR dest="e" OR dest="f" )
[|inputlookup test.csv | search PCI=y | table IP | rename IP as src ]
| stats max(_time) as _time values(action) as action by dest_port src dest host rule
| table _time dest_port src dest host rule action
0 Karma

splunker969
Communicator

Hi @ somesoni2

Thanks for replying query doesn't give any results.

0 Karma

woodcock
Esteemed Legend

Jinx!!!!!!

somesoni2
SplunkTrust
SplunkTrust

How many rows and columns are there in your test.csv lookup file? Also, how many records in your lookup have PCI="Y"?

0 Karma

splunker969
Communicator

Rows 295 and 3 columns are IP, PCI which is having value "Y ", host. In that CSV PCI is one column I placed this to differentiate between others hosts

0 Karma

bsonposh
Communicator

You are just pulling a large amount of data. You can post the job inspector report to see if that provides any insight as to why it is so slow.

You could probably use a stats command instead of dedup and table.

index=pan_logs OR index=cisco_395 
(sourcetype="test" OR sourcetype="test2" OR sourcetype="test3") 
(dest="a" OR dest="b" OR dest="c" OR dest= "d" OR dest="e" OR dest="f" )
| lookup test.csv IP as src
| search PCI=y
| stats values(dest_port) as dest_port values(dest) as dest values(host) as host values(rule) as rule values(action) as action by _time
0 Karma

splunker969
Communicator

Thanks @bsonposh .When i run the search its giving no results .Thanks for replying

0 Karma

bsonposh
Communicator

Typo in the search but doesn't matter... you are in good hands with Gregg and Somesh

0 Karma

woodcock
Esteemed Legend

It depends; if the number of PCI servers is humongous, our solutions will fail.

0 Karma

bsonposh
Communicator

Type in the search but doesn't matter... you are in good hands with Gregg and Somesh

0 Karma

splunker969
Communicator

Thanks bsonposh

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...