Improve search performance

shaquibk · ‎12-27-2021

Hi All,

I need to improve the performance of my below search, which currently completes in about 132sec. The search looks for last 7 days data from firewall logs.

Search:

index="xxx" src_ip !="a.b.c.d/26" src_ip !="x.y.z.w/26" src_zone!=ABCD src_zone!=ABCDE (dest_zone = "ABCD" OR (dvc_name IN ("qwerty","abcd","xyz","asdf") AND dest_zone="XYZ")) app IN (ldap,rmi-iiop) | lookup some_lookup ip as src_ip OUTPUT matched | search matched!="yes" | stats count by src_ip,action,date_mday | stats count by src_ip,action | search (action=allowed OR (action=blocked AND count>1))

Thanks in advance.

Regards,

Shaquib

scelikok · ‎12-27-2021

Hi @shaquibk,

You can try below, I changed lookup method;

index="xxx" src_ip !="a.b.c.d/26" src_ip !="x.y.z.w/26" src_zone!=ABCD src_zone!=ABCDE (dest_zone = "ABCD" OR (dvc_name IN ("qwerty","abcd","xyz","asdf") AND dest_zone="XYZ")) app IN (ldap,rmi-iiop) 
    [| inputlookup some_lookup 
    | fields ip 
    | rename ip as src_ip 
    | format ] 
| stats count by src_ip,action,date_mday 
| stats count by src_ip,action 
| search (action=allowed OR (action=blocked AND count>1))

If this reply helps you an upvote and "Accept as Solution" is appreciated.

shaquibk · ‎12-28-2021

Hi @scelikok

The below method somehow doesn't return any results at all.

Thanks,

Shaquib

isoutamo · ‎12-28-2021

Hi

maybe you should use this https://docs.splunk.com/Documentation/CIM/5.0.0/User/Overview with data model acceleration? There is https://docs.splunk.com/Documentation/CIM/5.0.0/User/NetworkTraffic for this kind of use.

r. Ismo

Improve search performance

correlation search

Technical Workshop Series: Splunk Data Management and SPL2 | Register here!

Spotting Financial Fraud in the Haystack: A Guide to Behavioral Analytics with Splunk

Solve Problems Faster with New, Smarter AI and Integrations in Splunk Observability