Splunk Enterprise
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Long running query

pflaher
Engager
‎02-12-2025 10:56 AM

When I run this query to give me results for the last 24 hours, its takes hours to complete. I would like to run it for say 30 days, but the time it takes would be unreasonable. 

index=firewall sourcetype=cp_log:syslog source=checkpoint:firewall dest="172.24.245.210"
| fields dest, src
| dedup dest, src
| table dest, src

I am looking to identify any front end application server that connects to this 172.24.245.210 server

 

 

Labels (1)
Labels
0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎02-12-2025 03:00 PM

You could set up daily summaries to a summary index and then run your queries over those.

You might also find better performance using stats count by dest, src rather than dedup.

0 Karma
Reply

livehybrid
Champion
‎02-12-2025 01:23 PM

Hi @pflaher 
I wonder if you could share an example event that you are searching across, as I dont have access to an example dataset for this?

One thing you could try, which I have had success in is using TERM, like this

index=firewall sourcetype=cp_log:syslog source=checkpoint:firewall dest="172.24.245.210" TERM(*172.24.245.210*)

The wildcards are less than ideal but could help speed up your searches (I found TERM can give 10x faster searches). Depending the data you might be able to do TERM(dest=172.24.245.210) - you could try either.

Does this give you a faster response? It would be worth comparing the job inspector for the two searches to see if this improves your response time, fingers crossed!

Please let me know how you get on and consider accepting this answer or adding karma this answer if it has helped.
Regards

Will

 

Reply

pflaher
Engager
‎02-13-2025 07:17 AM

Thanks for that additinal paramater. Original query took 37 minutes, your suggestion brought it to 1 minute, amazing, thanks very much !

0 Karma
Reply

livehybrid
Champion
‎02-13-2025 07:35 AM

30 times faster! I like it. That is great news. Thanks for letting me know! 

0 Karma
Reply
Get Updates on the Splunk Community!

Announcing the Expansion of the Splunk Academic Alliance Program

The Splunk Community is more than just an online forum — it’s a network of passionate users, administrators, ...

Learn Splunk Insider Insights, Do More With Gen AI, & Find 20+ New Use Cases You Can ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Buttercup Games: Further Dashboarding Techniques (Part 7)

This series of blogs assumes you have already completed the Splunk Enterprise Search Tutorial as it uses the ...
Top