Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to search the last 90 days of BlueCoat logs for the top 100 websites?

OD_jfraher
New Member
‎04-18-2016 05:42 PM

This is the criteria I'm using:

index=bcoat_logs sc_filter_result!=DENIED cs_host!="-" | stats count(cs_host) by cs_host | sort -count(cs_host)

which lists all websites users are hitting, but this search takes forever to run.

I was hoping to limit results to top 100 websites with highest hit counts in order to speed up the search.

I'm a bit of a newb and could use some help.

0 Karma
Reply

lguinn2
Legend
‎04-18-2016 06:45 PM

One reason for the slowness is that you are using "not equal to" as a criteria. In general, whenever you use NOT, Splunk ends up doing a serial search and that is slow. Is there a way that you could search like this instead?

index=bcoat_logs sc_filter_result=ALLOWED cs_host!="-"

Also, the following will get the top 100 results - but note that Splunk must count them all before it can determine the top 100. Also, you don't need count(cs_host) - just count will work - although that doesn't save time either.

index=bcoat_logs sc_filter_result=ALLOWED cs_host!="-" 
| stats count by cs_host 
| sort 100 -count

Are there any other criteria that you could use to filter the search as well? sourcetype?

0 Karma
Reply
Get Updates on the Splunk Community!

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...