Splunk Search

Can anyone provide recommendations on how to optimize my search?

Path Finder

I have a search taking more than 48 hours to complete. I am searching within 2 indexes over the span of a single week. Can anyone provide optimization recommendations?

eventtype=SDW_BPM_EVENTS TYPE=Address: OR TYPE=Payload: | transaction startswith=Address: endswith=Payload: | search soa_user_id!=NULL AND ( soa_operation_name=createCreditCards OR soa_operation_name=updateCreditCards OR soa_operation_name=completeMembershipCheckout OR soa_operation_name=createBatch OR soa_operation_name=exchangePaymentRefund OR soa_operation_request=processVacationRequestTransaction OR soa_operation_name=processExchangeTransaction OR soa_operation_name=processShortStayTransaction OR soa_operation_name=purchaseRetradeProgram OR soa_operation_name=updateGuestCertificate OR soa_operation_name=processTransaction OR soa_operation_name=extendDeposit OR soa_operation_name=accommodationCertificateExtensionUpdate OR ( ( soa_operation_name=signalRecapState OR soa_operation_response=signalRecapStateResponse ) AND index=sdw ) ) | LOOKUP IIActiveDirectoryAll UserName as soa_user_id OUTPUT Groups as soa_user_groups | search ( (soa_user_groups="* IT*" OR soa_user_groups="*IT *" OR soa_user_groups="*-IT*" OR soa_user_groups="*IT-*" OR soa_user_groups="*I-Series*" OR soa_user_groups="*ITCM*") AND NOT (soa_user_groups="*italy*" OR soa_user_groups="*credit*" OR soa_user_groups="*audit*" OR soa_user_groups="*autit*") ) | rex "(?i)\-M:(?P[^\-]+)" | rex "(?i)\-C:(?P[^\]]+)" | rex "SubscriptionSelection.*TransactionCd\>(?P[^<]+).*TransTypeDesc\>(?P[^<]+).*NetAmount CurrencyCode=\"(?P[^\"]+)\"\>(?P[^<]+)" | rex ":Amount CurrencyCode=\"(?P[^\"]+)\"\>(?P[^<]+)" 
0 Karma

SplunkTrust
SplunkTrust

Give this a try

eventtype=SDW_BPM_EVENTS TYPE=Address: OR TYPE=Payload:  | search soa_user_id!=NULL AND ( soa_operation_name=createCreditCards OR soa_operation_name=updateCreditCards OR soa_operation_name=completeMembershipCheckout OR soa_operation_name=createBatch OR soa_operation_name=exchangePaymentRefund OR soa_operation_request=processVacationRequestTransaction OR soa_operation_name=processExchangeTransaction OR soa_operation_name=processShortStayTransaction OR soa_operation_name=purchaseRetradeProgram OR soa_operation_name=updateGuestCertificate OR soa_operation_name=processTransaction OR soa_operation_name=extendDeposit OR soa_operation_name=accommodationCertificateExtensionUpdate OR ( ( soa_operation_name=signalRecapState OR soa_operation_response=signalRecapStateResponse ) AND index=sdw ) ) | transaction startswith=Address: endswith=Payload:  | LOOKUP IIActiveDirectoryAll UserName as soa_user_id OUTPUT Groups as soa_user_groups | search ( (soa_user_groups="* IT*" OR soa_user_groups="*IT *" OR soa_user_groups="*-IT*" OR soa_user_groups="*IT-*" OR soa_user_groups="*I-Series*" OR soa_user_groups="*ITCM*") AND NOT (soa_user_groups="*italy*" OR soa_user_groups="*credit*" OR soa_user_groups="*audit*" OR soa_user_groups="*autit*") ) | rex "(?i)\-M:(?P[^\-]+)" | rex "(?i)\-C:(?P[^\]]+)" | rex "SubscriptionSelection.*TransactionCd\>(?P[^<]+).*TransTypeDesc\>(?P[^<]+).*NetAmount CurrencyCode=\"(?P[^\"]+)\"\>(?P[^<]+)" | rex ":Amount CurrencyCode=\"(?P[^\"]+)\"\>(?P[^<]+)" 

And this

 eventtype=SDW_BPM_EVENTS TYPE=Address: OR TYPE=Payload:  | search soa_user_id!=NULL AND ( soa_operation_name=createCreditCards OR soa_operation_name=updateCreditCards OR soa_operation_name=completeMembershipCheckout OR soa_operation_name=createBatch OR soa_operation_name=exchangePaymentRefund OR soa_operation_request=processVacationRequestTransaction OR soa_operation_name=processExchangeTransaction OR soa_operation_name=processShortStayTransaction OR soa_operation_name=purchaseRetradeProgram OR soa_operation_name=updateGuestCertificate OR soa_operation_name=processTransaction OR soa_operation_name=extendDeposit OR soa_operation_name=accommodationCertificateExtensionUpdate OR ( ( soa_operation_name=signalRecapState OR soa_operation_response=signalRecapStateResponse ) AND index=sdw ) )  [| inputlookup IIActiveDirectoryAll |  search ( (soa_user_groups="* IT*" OR soa_user_groups="*IT *" OR soa_user_groups="*-IT*" OR soa_user_groups="*IT-*" OR soa_user_groups="*I-Series*" OR soa_user_groups="*ITCM*") AND NOT (soa_user_groups="*italy*" OR soa_user_groups="*credit*" OR soa_user_groups="*audit*" OR soa_user_groups="*autit*") )  | table UserName | rename UserName as soa_user_id] | transaction startswith=Address: endswith=Payload:  | rex "(?i)\-M:(?P[^\-]+)" | rex "(?i)\-C:(?P[^\]]+)" | rex "SubscriptionSelection.*TransactionCd\>(?P[^<]+).*TransTypeDesc\>(?P[^<]+).*NetAmount CurrencyCode=\"(?P[^\"]+)\"\>(?P[^<]+)" | rex ":Amount CurrencyCode=\"(?P[^\"]+)\"\>(?P[^<]+)" 
0 Karma