Splunk Enterprise Security
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How can I accelerate my DataModel Query below to work better for an Alert?

mattbellezza
Explorer
‎09-08-2017 12:16 PM

I am trying to speed up my data model search for an alert that checks every 5 minutes (for the last 5 minutes) for "excessive" blocked inbound network connections (external IP's to the Internal RFC1918 IP space" I have the searching working just with the Data Model, but it still seems slow. Is there any way I can speed this up?

| `datamodel("Network_Traffic", "All_Traffic")` 
| search All_Traffic.action="blocked" (All_Traffic.dest=10.0.0.0/8 OR All_Traffic.dest=172.16.0.0/12 OR All_Traffic.dest=192.168.0.0/16) AND NOT (All_Traffic.src="10.0.0.0/8" OR All_Traffic.src="172.16.0.0/12" OR All_Traffic.src="192.168.0.0/16") 
| stats count dc(All_Traffic.dest) as dest_count, values(All_Traffic.dest) as "Destination IP" by All_Traffic.action, All_Traffic.src  | rename All_Traffic.action as "Action", All_Traffic.src as "Source IP"
| search count>150
0 Karma
Reply

aholzel
Communicator
‎09-08-2017 01:20 PM

Don't use |datamodel or the macro.... use | tstats instead that is way faster! only downside for tstats is that you can't use a cidr in your where.

your query whould become something like:

| tstats summariesonly=t count dc(All_Traffic.dest) as dest_count, values(All_Traffic.dest) as dest from datamodel=Network_Traffic where All_Traffic.action="blocked" by All_Traffic.action, All_Traffic.src
| `drop_dm_object_name("All_Traffic")`
| search (dest=10.0.0.0/8 OR dest=172.16.0.0/12 OR dest=192.168.0.0/16) AND (src!="10.0.0.0/8" src!="172.16.0.0/12" 
 src!="192.168.0.0/16") 
| where count>150d
| rename dest AS "Destination IP", action as "Action", src as "Source IP"

more info on tstats: http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Tstats

0 Karma
Reply
Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Dynamic formatting from XML events

This challenge was first posted on Slack #puzzles channelFor a previous puzzle, I needed a set of fixed-length ...

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

  🚀 Your data just got a serious AI upgrade — are you ready? Say hello to the Agentic Era with the ...

Stronger Security with Federated Search for S3, GCP SQL & Australian Threat ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...