How to make my search fast when searching field na...

Splunk Search

Hi Dears,

When I search only IPs without field names in Firewall indexes search is fast, like:

index="EX" "X.X.X.X" OR "X.X.X.X" OR X.X.X.X" OR X.X.X.X" OR X.X.X.X"

But when I include field name as in below, the search takes a lot of time specially in Firewall index. (Though I believe it should take less time from above search because it searches for only specific field).

index="EX" dest_ip="X.X.X.X"OR dest_ip="X.X.X.X" OR dest_ip="X.X.X.X" OR dest_ip="X.X.X.X" OR dest_ip="X.X.X.X"

Please your support.

Best Regards,

Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious! We’re back with another ...