Help Improve my search? - Splunk Community

Splunk Search

All,

I have this search here and it's pretty slow. Any recommendations to speed it up? Currently 250.249 seconds and that just seems high.

index=osnixsec sourcetype=linux:audit host=*domain.net earliest=-7d@d latest=-2h@h
NOT [ search index=osnixsec sourcetype=linux:audit host=*domain.net earliest=-2h@h latest=now | fields host | dedup host | table host ]
| fields host | dedup host | table host

| tstats count where index=osnixsec sourcetype=linux:audit host=*domain.net earliest=-7d@d latest=-2h@h by host
| eval time="old"
| append [ |tstats count where  index=osnixsec sourcetype=linux:audit host=*domain.net earliest=-2h@h latest=now by host
| eval time="current"]
| stats dc(time) as flag values(time) as time max(_time) as _time by host
| where flag = 1 AND time = "old"

I think it's fast enough.

Forgot about the metadata command

| metadata type=hosts index=osnixsec sourcetype=linux:audit
| eval now = now()
| eval twohoursago = now - 3600 - 3600
| where lastTime < twohoursago
| eval _time = lastTime
| table _time, host

Any other improvements?

Get Updates on the Splunk Community!

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI!Discover how Splunk’s agentic AI ...

Splunk Enterprise Security 8.x: The Essential Upgrade for Threat Detection, ...

Watch On Demand the Tech Talk on November 6 at 11AM PT, and empower your SOC to reach new heights! Duration: ...

Splunk Observability as Code: From Zero to Dashboard

For the details on what Self-Service Observability and Observability as Code is, we have some awesome content ...