Dashboards & Visualizations

How do I write my search to give fast results when setting the time range picker to last 7 days?

splunker969
Communicator

When Run below Search in a Fast mode for last 7 days it is taking Time more than 60 minutes which is giving results and still taking time? Is there a way that I can modify my search to get results in lesser Time? Please help?

Search =

index=pan_logs OR index=cisco_395
(sourcetype="test" OR sourcetype="test2" OR sourcetype="test3") 
 (dest="a" OR dest="b" OR dest="c" OR dest= "d" OR dest="e" OR dest="f"  )
| lookup test.csv IP as src
| search PCI=y 
| dedup  dest_port src dest host rule
| table _time dest_port src dest host rule action

woodcock
Esteemed Legend

Like this:

index=pan_logs OR index=cisco_395
AND (sourcetype="test" OR sourcetype="test2" OR sourcetype="test3") 
AND (dest="a" OR dest="b" OR dest="c" OR dest= "d" OR dest="e" OR dest="f" )
AND [inputlookup test.csv | search PCI="y" | table IP | rename IP AS src]
| stats first(_time) AS _time first(action) AS action BY dest_port src dest host rule

splunker969
Communicator

Hi woodCook

Thanks for replying query gives results sorry still taking time

0 Karma

woodcock
Esteemed Legend

Show me the results of your existing search.

0 Karma

splunker969
Communicator

For security, I cannot share results.I am getting results with search that I posted Woodcock.
Since taking lot of time even now still it is running 58 of 135,845,039 events matched

0 Karma

woodcock
Esteemed Legend

Try adding this above the | stats:

| fillnull dest_port src dest host rule
0 Karma

somesoni2
Revered Legend

Try this (assuming all fields dest_port src dest host rule action, appear in your main data).

index=pan_logs OR index=cisco_395
(sourcetype="test" OR sourcetype="test2" OR sourcetype="test3") 
(dest="a" OR dest="b" OR dest="c" OR dest= "d" OR dest="e" OR dest="f" )
[|inputlookup test.csv | search PCI=y | table IP | rename IP as src ]
| stats max(_time) as _time values(action) as action by dest_port src dest host rule
| table _time dest_port src dest host rule action
0 Karma

splunker969
Communicator

Hi @ somesoni2

Thanks for replying query doesn't give any results.

0 Karma

woodcock
Esteemed Legend

Jinx!!!!!!

somesoni2
Revered Legend

How many rows and columns are there in your test.csv lookup file? Also, how many records in your lookup have PCI="Y"?

0 Karma

splunker969
Communicator

Rows 295 and 3 columns are IP, PCI which is having value "Y ", host. In that CSV PCI is one column I placed this to differentiate between others hosts

0 Karma

bsonposh
Communicator

You are just pulling a large amount of data. You can post the job inspector report to see if that provides any insight as to why it is so slow.

You could probably use a stats command instead of dedup and table.

index=pan_logs OR index=cisco_395 
(sourcetype="test" OR sourcetype="test2" OR sourcetype="test3") 
(dest="a" OR dest="b" OR dest="c" OR dest= "d" OR dest="e" OR dest="f" )
| lookup test.csv IP as src
| search PCI=y
| stats values(dest_port) as dest_port values(dest) as dest values(host) as host values(rule) as rule values(action) as action by _time
0 Karma

splunker969
Communicator

Thanks @bsonposh .When i run the search its giving no results .Thanks for replying

0 Karma

bsonposh
Communicator

Typo in the search but doesn't matter... you are in good hands with Gregg and Somesh

0 Karma

woodcock
Esteemed Legend

It depends; if the number of PCI servers is humongous, our solutions will fail.

0 Karma

bsonposh
Communicator

Type in the search but doesn't matter... you are in good hands with Gregg and Somesh

0 Karma

splunker969
Communicator

Thanks bsonposh

0 Karma
Register for .conf21 Now! Go Vegas or Go Virtual!

How will you .conf21? You decide! Go in-person in Las Vegas, 10/18-10/21, or go online with .conf21 Virtual, 10/19-10/20.