Help with the efficiency of my search?

supersnedz · ‎04-27-2023

Hello,

We have recently moved over to Splunk Cloud platform and I am making a dashboard that will have panels for each of our reporting servers/tools. So for example the dashboard will have a panel to show all IPS devices reporting in, all Proxies, all windows servers etc. I have created a query to show all proxies reporting in over the week, along with a timewarp to show the difference from the week before.

index="siem-proxy" source="global"  |timechart dc(an) | rename dc(an) as "Proxy" | timewrap 1w | rename "Proxy_1week_before" as "Proxy Previous Week" | rename "Proxy_latest_week" as "Proxy Latest"

This search goes through millions of events to show 15 proxies have reported in per day, so its very slow running. Is there an easy way to make this more efficient?

Cheers

ITWhisperer · ‎04-27-2023

Try doing the rename as part of the timechart rather than for every event afterwards. It won't make a big improvement but then you didn't say how much improvement you required!

index="siem-proxy" source="global"  |timechart dc(an) as "Proxy" | timewrap 1w | rename "Proxy_1week_before" as "Proxy Previous Week" | rename "Proxy_latest_week" as "Proxy Latest"

It sounds like you have a lot of data to process so the query will take a while. One way to improve the efficiency of your query is perhaps to use summary indexes. Without further details on your usecase, it is difficult to be more specific though.

Help with the efficiency of my search?

Analytics Workspace

configuration

other

Splunk Investigate

using Splunk Cloud

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...

Splunk APM: New Product Features + Community Office Hours Recap!

Index This | Forward, I’m heavy; backward, I’m not. What am I?