Help Improve my search? - Splunk Community

Splunk Search

All,

I have this search here and it's pretty slow. Any recommendations to speed it up? Currently 250.249 seconds and that just seems high.

index=osnixsec sourcetype=linux:audit host=*domain.net earliest=-7d@d latest=-2h@h
NOT [ search index=osnixsec sourcetype=linux:audit host=*domain.net earliest=-2h@h latest=now | fields host | dedup host | table host ]
| fields host | dedup host | table host

| tstats count where index=osnixsec sourcetype=linux:audit host=*domain.net earliest=-7d@d latest=-2h@h by host
| eval time="old"
| append [ |tstats count where  index=osnixsec sourcetype=linux:audit host=*domain.net earliest=-2h@h latest=now by host
| eval time="current"]
| stats dc(time) as flag values(time) as time max(_time) as _time by host
| where flag = 1 AND time = "old"

I think it's fast enough.

Forgot about the metadata command

| metadata type=hosts index=osnixsec sourcetype=linux:audit
| eval now = now()
| eval twohoursago = now - 3600 - 3600
| where lastTime < twohoursago
| eval _time = lastTime
| table _time, host

Any other improvements?

Get Updates on the Splunk Community!

Splunk Mobile: Your Brand-New Home Screen

Meet Your New Mobile Hub Hello Splunk Community! Staying connected to your data—no matter where you are—is ...

Introducing Value Insights (Beta): Understand the Business Impact your organization ...

Real progress on your strategic priorities starts with knowing the business outcomes your teams are delivering ...

Enterprise Security (ES) Essentials 8.3 is Now GA — Smarter Detections, Faster ...

As of today, Enterprise Security (ES) Essentials 8.3 is now generally available, helping SOC teams simplify ...