Re: Help Improve my search? - Splunk Community

Splunk Search

All,

I have this search here and it's pretty slow. Any recommendations to speed it up? Currently 250.249 seconds and that just seems high.

index=osnixsec sourcetype=linux:audit host=*domain.net earliest=-7d@d latest=-2h@h
NOT [ search index=osnixsec sourcetype=linux:audit host=*domain.net earliest=-2h@h latest=now | fields host | dedup host | table host ]
| fields host | dedup host | table host

| tstats count where index=osnixsec sourcetype=linux:audit host=*domain.net earliest=-7d@d latest=-2h@h by host
| eval time="old"
| append [ |tstats count where  index=osnixsec sourcetype=linux:audit host=*domain.net earliest=-2h@h latest=now by host
| eval time="current"]
| stats dc(time) as flag values(time) as time max(_time) as _time by host
| where flag = 1 AND time = "old"

I think it's fast enough.

Forgot about the metadata command

| metadata type=hosts index=osnixsec sourcetype=linux:audit
| eval now = now()
| eval twohoursago = now - 3600 - 3600
| where lastTime < twohoursago
| eval _time = lastTime
| table _time, host

Any other improvements?

Get Updates on the Splunk Community!

Shape the Future of Splunk: Join the Product Research Lab!

Join the Splunk Product Research Lab and connect with us in the Slack channel #product-research-lab to get ...

Auto-Injector for Everything Else: Making OpenTelemetry Truly Universal

You might have seen Splunk’s recent announcement about donating the OpenTelemetry Injector to the ...

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...