Splunk Enterprise
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Long running query

pflaher
Engager
‎02-12-2025 10:56 AM

When I run this query to give me results for the last 24 hours, its takes hours to complete. I would like to run it for say 30 days, but the time it takes would be unreasonable. 

index=firewall sourcetype=cp_log:syslog source=checkpoint:firewall dest="172.24.245.210"
| fields dest, src
| dedup dest, src
| table dest, src

I am looking to identify any front end application server that connects to this 172.24.245.210 server

 

 

Labels (1)
Labels
0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎02-12-2025 03:00 PM

You could set up daily summaries to a summary index and then run your queries over those.

You might also find better performance using stats count by dest, src rather than dedup.

0 Karma
Reply

livehybrid
SplunkTrust
SplunkTrust
‎02-12-2025 01:23 PM

Hi @pflaher 
I wonder if you could share an example event that you are searching across, as I dont have access to an example dataset for this?

One thing you could try, which I have had success in is using TERM, like this

index=firewall sourcetype=cp_log:syslog source=checkpoint:firewall dest="172.24.245.210" TERM(*172.24.245.210*)

The wildcards are less than ideal but could help speed up your searches (I found TERM can give 10x faster searches). Depending the data you might be able to do TERM(dest=172.24.245.210) - you could try either.

Does this give you a faster response? It would be worth comparing the job inspector for the two searches to see if this improves your response time, fingers crossed!

Please let me know how you get on and consider accepting this answer or adding karma this answer if it has helped.
Regards

Will

 

Reply

pflaher
Engager
‎02-13-2025 07:17 AM

Thanks for that additinal paramater. Original query took 37 minutes, your suggestion brought it to 1 minute, amazing, thanks very much !

0 Karma
Reply

livehybrid
SplunkTrust
SplunkTrust
‎02-13-2025 07:35 AM

30 times faster! I like it. That is great news. Thanks for letting me know! 

0 Karma
Reply
Get Updates on the Splunk Community!

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

New Release | Splunk Cloud Platform 10.1.2507

Hello Splunk Community!We are thrilled to announce the General Availability of Splunk Cloud Platform 10.1.2507 ...

🌟 From Audit Chaos to Clarity: Welcoming Audit Trail v2

🗣 You Spoke, We Listened  Audit Trail v2 wasn’t written in isolation—it was shaped by your voices.  In ...