Knowledge Management
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

help optimise a long running search

dm1
Contributor
‎05-09-2021 11:11 PM

I have a search which uses email data to search specific email logs for communications from/to specific organization and lists all necessary attributes required. This search is required to run end of every month and generate a report. This scheduled search roughly takes 25 hours to run.

index=cisco_esa sourcetype=cisco:esa:textmail mail_logs 
| transaction internal_message_id maxspan=300s
| search recipient="*@abc.com" OR sender="*@abc.com"
| table _time internal_message_id sender recipient field2 field3
| outputlookup abc_esa_summary.csv

 

Can somebody please suggest some improvements to this search to make it run faster ?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎05-09-2021 11:21 PM

Hi @dm1,

transaction is a very slow command, you can replace it using stats, something like this:

index=cisco_esa sourcetype=cisco:esa:textmail mail_logs 
| stats earliest(_time) AS _time values(sender) AS sender values(recipient) recipient values(field2) AS field2 values(field3) AS field3 BY internal_message_id
| search recipient="*@abc.com" OR sender="*@abc.com"
| table _time internal_message_id sender recipient field2 field3
| outputlookup abc_esa_summary.csv

If this solution isn't acceptable for you (maybe the limit of maxspan is relevant!), you could schedule your search to run eventy night with a timeframe of 24 hours, saving results in a summary index  (with the collect command) and every month you can take all the results.

Ciao.

Giuseppe

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎05-09-2021 11:21 PM

Hi @dm1,

transaction is a very slow command, you can replace it using stats, something like this:

index=cisco_esa sourcetype=cisco:esa:textmail mail_logs 
| stats earliest(_time) AS _time values(sender) AS sender values(recipient) recipient values(field2) AS field2 values(field3) AS field3 BY internal_message_id
| search recipient="*@abc.com" OR sender="*@abc.com"
| table _time internal_message_id sender recipient field2 field3
| outputlookup abc_esa_summary.csv

If this solution isn't acceptable for you (maybe the limit of maxspan is relevant!), you could schedule your search to run eventy night with a timeframe of 24 hours, saving results in a summary index  (with the collect command) and every month you can take all the results.

Ciao.

Giuseppe

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎05-13-2021 10:29 PM

Hi @dm1,

good for you, see next time!

Ciao and happy splunking.

Giuseppe

P.S.: Karma Points are appreciated by all the contributors 😉

0 Karma
Reply
Solved! Jump to solution

dm1
Contributor
‎05-09-2021 11:44 PM

@gcusello Thanks! I just tested your search and it seems to be giving what I want in a fairly faster way. Still testing it.

Can you please elaborate on ? I have never tried this

"saving results in a summary index  (with the collect command) and every month you can take all the results. "

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎05-10-2021 12:08 AM

Hi @dm1,

the approach is the following:

you modify you search replacing the last row with "collect index=my_summary_index".

you schedule your search to run every night on the last 24 hurs.

in this way you save the results in a summary index and you can run you montly search on the summary index and you have in a table all the results.

In this way you have a very quick search that you can also run every day.

For more infos you can see at https://docs.splunk.com/Documentation/Splunk/8.1.3/Knowledge/Usesummaryindexing

Ciao.

Giuseppe

P.S.: if this answer solves your your need, please accept it for the other people of Community, and Karma Points are appreciated by all the contributors 😉

0 Karma
Reply
Solved! Jump to solution

kamlesh_vaghela
SplunkTrust
SplunkTrust
‎05-09-2021 11:16 PM

@dm1 

Any specific reason to use transaction commands?

Meanwhile you can try by adding fields command before transaction,

index=cisco_esa sourcetype=cisco:esa:textmail mail_logs 
| fields internal_message_id sender recipient field2 field3

 

0 Karma
Reply
Solved! Jump to solution

dm1
Contributor
‎05-09-2021 11:21 PM

@kamlesh_vaghela because transaction command groups all messages having same unique message identifier which is internal_message_id

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...