Help Improve my search? - Splunk Community

Splunk Search

All,

I have this search here and it's pretty slow. Any recommendations to speed it up? Currently 250.249 seconds and that just seems high.

index=osnixsec sourcetype=linux:audit host=*domain.net earliest=-7d@d latest=-2h@h
NOT [ search index=osnixsec sourcetype=linux:audit host=*domain.net earliest=-2h@h latest=now | fields host | dedup host | table host ]
| fields host | dedup host | table host

| tstats count where index=osnixsec sourcetype=linux:audit host=*domain.net earliest=-7d@d latest=-2h@h by host
| eval time="old"
| append [ |tstats count where  index=osnixsec sourcetype=linux:audit host=*domain.net earliest=-2h@h latest=now by host
| eval time="current"]
| stats dc(time) as flag values(time) as time max(_time) as _time by host
| where flag = 1 AND time = "old"

I think it's fast enough.

Forgot about the metadata command

| metadata type=hosts index=osnixsec sourcetype=linux:audit
| eval now = now()
| eval twohoursago = now - 3600 - 3600
| where lastTime < twohoursago
| eval _time = lastTime
| table _time, host

Any other improvements?

Get Updates on the Splunk Community!

What the End of Support for Splunk Add-on Builder Means for You

Hello Splunk Community! We want to share an important update regarding the future of the Splunk Add-on Builder ...

Solve, Learn, Repeat: New Puzzle Channel Now Live

Welcome to the Splunk Puzzle PlaygroundIf you are anything like me, you love to solve problems, and what ...

Building Reliable Asset and Identity Frameworks in Splunk ES

Accurate asset and identity resolution is the backbone of security operations. Without it, alerts are ...