Knowledge Management
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

help optimise a long running search

dm1
Contributor
‎05-09-2021 11:11 PM

I have a search which uses email data to search specific email logs for communications from/to specific organization and lists all necessary attributes required. This search is required to run end of every month and generate a report. This scheduled search roughly takes 25 hours to run.

index=cisco_esa sourcetype=cisco:esa:textmail mail_logs 
| transaction internal_message_id maxspan=300s
| search recipient="*@abc.com" OR sender="*@abc.com"
| table _time internal_message_id sender recipient field2 field3
| outputlookup abc_esa_summary.csv

 

Can somebody please suggest some improvements to this search to make it run faster ?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎05-09-2021 11:21 PM

Hi @dm1,

transaction is a very slow command, you can replace it using stats, something like this:

index=cisco_esa sourcetype=cisco:esa:textmail mail_logs 
| stats earliest(_time) AS _time values(sender) AS sender values(recipient) recipient values(field2) AS field2 values(field3) AS field3 BY internal_message_id
| search recipient="*@abc.com" OR sender="*@abc.com"
| table _time internal_message_id sender recipient field2 field3
| outputlookup abc_esa_summary.csv

If this solution isn't acceptable for you (maybe the limit of maxspan is relevant!), you could schedule your search to run eventy night with a timeframe of 24 hours, saving results in a summary index  (with the collect command) and every month you can take all the results.

Ciao.

Giuseppe

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎05-09-2021 11:21 PM

Hi @dm1,

transaction is a very slow command, you can replace it using stats, something like this:

index=cisco_esa sourcetype=cisco:esa:textmail mail_logs 
| stats earliest(_time) AS _time values(sender) AS sender values(recipient) recipient values(field2) AS field2 values(field3) AS field3 BY internal_message_id
| search recipient="*@abc.com" OR sender="*@abc.com"
| table _time internal_message_id sender recipient field2 field3
| outputlookup abc_esa_summary.csv

If this solution isn't acceptable for you (maybe the limit of maxspan is relevant!), you could schedule your search to run eventy night with a timeframe of 24 hours, saving results in a summary index  (with the collect command) and every month you can take all the results.

Ciao.

Giuseppe

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎05-13-2021 10:29 PM

Hi @dm1,

good for you, see next time!

Ciao and happy splunking.

Giuseppe

P.S.: Karma Points are appreciated by all the contributors 😉

0 Karma
Reply
Solved! Jump to solution

dm1
Contributor
‎05-09-2021 11:44 PM

@gcusello Thanks! I just tested your search and it seems to be giving what I want in a fairly faster way. Still testing it.

Can you please elaborate on ? I have never tried this

"saving results in a summary index  (with the collect command) and every month you can take all the results. "

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎05-10-2021 12:08 AM

Hi @dm1,

the approach is the following:

you modify you search replacing the last row with "collect index=my_summary_index".

you schedule your search to run every night on the last 24 hurs.

in this way you save the results in a summary index and you can run you montly search on the summary index and you have in a table all the results.

In this way you have a very quick search that you can also run every day.

For more infos you can see at https://docs.splunk.com/Documentation/Splunk/8.1.3/Knowledge/Usesummaryindexing

Ciao.

Giuseppe

P.S.: if this answer solves your your need, please accept it for the other people of Community, and Karma Points are appreciated by all the contributors 😉

0 Karma
Reply
Solved! Jump to solution

kamlesh_vaghela
SplunkTrust
SplunkTrust
‎05-09-2021 11:16 PM

@dm1 

Any specific reason to use transaction commands?

Meanwhile you can try by adding fields command before transaction,

index=cisco_esa sourcetype=cisco:esa:textmail mail_logs 
| fields internal_message_id sender recipient field2 field3

 

0 Karma
Reply
Solved! Jump to solution

dm1
Contributor
‎05-09-2021 11:21 PM

@kamlesh_vaghela because transaction command groups all messages having same unique message identifier which is internal_message_id

0 Karma
Reply
Get Updates on the Splunk Community!

.conf25 Community Recap

Hello Splunkers, And just like that, .conf25 is in the books! What an incredible few days — full of learning, ...

Splunk App Developers | .conf25 Recap & What’s Next

If you stopped by the Builder Bar at .conf25 this year, thank you! The retro tech beer garden vibes were ...

Congratulations to the 2025-2026 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...