Are you a member of the Splunk Community?
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: Is there any effective way to improve the spee...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
I need to fetch the details of all the eventtypes and their source through a search. I use the search below, but it takes a very long time to complete a search (say more than 30 mins). Is there any effective way to improve the speed of my search? The search I am using is:
eventtype=* | dedup eventtype| table eventtype, source | sort eventtype
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi SridharS,
Yes there is. You can call the REST endpoint for the eventtypes.conf and display them using this REST search:
| rest /services/configs/conf-eventtypes | rex field=id "(?<EventType>[^/]+$)" | rex field=search "(?<Source>source=.+)" | table EventType Source
Maybe you need to adapt the rex for the Source field, but it should give you a fester search to start with.
cheers, MuS
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This gave me the exact result what i was looking for
| rest /services/configs/conf-eventtypes | table title search | rex field=search "(?source=.+)" | rename title as EventType | dedup EventType | table EventType search
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi SridharS,
Yes there is. You can call the REST endpoint for the eventtypes.conf and display them using this REST search:
| rest /services/configs/conf-eventtypes | rex field=id "(?<EventType>[^/]+$)" | rex field=search "(?<Source>source=.+)" | table EventType Source
Maybe you need to adapt the rex for the Source field, but it should give you a fester search to start with.
cheers, MuS
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi MuS, This is what I was actually looking for. On the other hand i have some eventtype names with space inbetween. I tried changing the above query for this, but I did not get through. My eventtype has a-z, 0-9 and - minus symbols. And also when I do the above query due to space error am not able to view source.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This should get you what you want.
| rest /services/configs/conf-eventtypes | table title search | rex field=search "(?<Source>source=.+)" | rename title as EventType | table EventType Source
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
That was perfect. I got the eventtype list exactly(without space concern). But I am not sure why the source miss again. When I did a normal search query i got all the source path, but here am just getting "/splunkd_access.log OR source=\\splunkd_access.log" as source path for 6 or 7 events, the rest 190+ eventtypes not displaying source.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This REST search will return your eventtype definition and does not run any eventtype searches, that's why you will only get a source string, if the eventtype definition contains a source string.
Tech Talk Recap | Mastering Threat Hunting
Observability for AI Applications: Troubleshooting Latency
Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?
