Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Any suggestion about how to make alert faster which has huge size lookup.

Shuhei052492
Path Finder
‎02-27-2018 09:41 PM

Hi

I have an alert to search proxy logs. And this alert creates its results to match 3 million Proxy logs and lookup files of 40,000 lines.
Also the alert takes 7 ~ 9 hours until it finishes running.

index=proxy sourcetype=proxy [inputlookup Proxy_blacklist.csv | table url ]
| stats count as total_count, last(_time) as ltime, first(_time) as ftime, values(host) as host, values(auth_user) as auth_user by client_ip,url

I would like to make this alert faster.
As I do this, I have the idea to divide the lookup file as 3 file and this alert as 3 alerts too.
If someone has another idea to make it faster, please give me your suggestion and advice.
I appreciate any answers so much.

Best regard,

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

starcher
Influencer
‎02-28-2018 07:36 PM

You could use an accelerated data model and tstats.

Or use your lookup as a lookup not as a subsearch.

Avoid using a lookup with more than 100 rows in a subsearch filter pattern that way.

Use this pattern.

... |lookup blacklist url OUTPUT url as isFound | where isnotnull(isFound)

Also use min and max on _time not first and last.

View solution in original post

Reply
Solved! Jump to solution
Solution

starcher
Influencer
‎02-28-2018 07:36 PM

You could use an accelerated data model and tstats.

Or use your lookup as a lookup not as a subsearch.

Avoid using a lookup with more than 100 rows in a subsearch filter pattern that way.

Use this pattern.

... |lookup blacklist url OUTPUT url as isFound | where isnotnull(isFound)

Also use min and max on _time not first and last.

Reply
Solved! Jump to solution

Shuhei052492
Path Finder
‎02-28-2018 09:42 PM

Thanks for your answers.
I understood the important point to use subsearch filter pattern.

Also,unfortunately the search which uses "lookup" and "where" does not improve search performance in my environment.

0 Karma
Reply
Solved! Jump to solution

HiroshiSatoh
Champion
‎02-27-2018 10:26 PM

Does the black list URL contain wild cards?
Does the field definition also exist on the indexer side?

0 Karma
Reply
Solved! Jump to solution

Shuhei052492
Path Finder
‎02-28-2018 08:05 PM

Yes. All values of this list have wildcards.
Yes. My indexer has same field definition in props.conf.

0 Karma
Reply
Get Updates on the Splunk Community!

September Community Champions: A Shoutout to Our Contributors!

As we close the books on another fantastic month, we want to take a moment to celebrate the people who are the ...

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...

What’s New in Splunk Observability – September 2025

What's NewWe are excited to announce the latest enhancements to Splunk Observability, designed to help ITOps ...