Re: Splunk SDK Search is slow

TheMilkMan · ‎11-29-2019

The Splunk query using Splunk SDK using C# returns results much slower than the front end.

Query

index=TEST "<TEST LogTime" earliest="11/1/2019:0:0:0" latest="11/30/2019:23:59:59" | where (in(Field1, "TestValue1","TestValue2","TestValue3")) | fields TestField1 TestField2 TestField3 | rename TestField1 as TestField1a, TestField2 As TestField2b, TestField3 As TestField3a

using (var service = new Service(Scheme.Https, _config.Uri, _config.Port))
                {

                    await service.LogOnAsync(_config.Username, _config.Password);

                    using (var searchResultStream = await service.SearchOneShotAsync(query))
                    {

                        var config = new MapperConfiguration(cfg => { });
                        var mapper = config.CreateMapper();
                        foreach (var result in searchResultStream)
                        {
                            results.Add(mapper.Map<T>(result));
                        }
                    }
                }

wmyersas · ‎11-29-2019

What is your search?

How are you connecting with the SDK?

TheMilkMan · ‎11-29-2019

index=TEST "

TheMilkMan · ‎11-29-2019

index=TEST "<TEST LogTime" earliest="11/1/2019:0:0:0" latest="11/30/2019:23:59:59" | where (in(Field1, "TestValue1","TestValue2","TestValue3")) | fields TestField1 TestField2 TestField3 | rename TestField1 as TestField1a, TestField2 As TestField2b, TestField3 As TestField3a

using (var service = new Service(Scheme.Https, _config.Uri, _config.Port))
                {

                    await service.LogOnAsync(_config.Username, _config.Password);

                    using (var searchResultStream = await service.SearchOneShotAsync(query))
                    {

                        var config = new MapperConfiguration(cfg => { });
                        var mapper = config.CreateMapper();
                        foreach (var result in searchResultStream)
                        {
                            results.Add(mapper.Map<T>(result));
                        }
                    }
                }

Splunk SDK Search is slow

SDK

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...

Splunk APM: New Product Features + Community Office Hours Recap!

Index This | Forward, I’m heavy; backward, I’m not. What am I?