This search is slow (our dns logs are large).
index=winlogs sourcetype=dns | eval dottedquestion=replace(replace(questionname,"\(\d+\)","."),"\.(.*)\.","\1") | search [| inputlookup baddomains | return 10000 dottedquestion=Domain]
Outside of shrinking the time window (I am not interested in going under 24 hours) is there anyway to optimize it? The baddomains list is very small (<1000)
Thank you in advance.
Probably join might help you.
index=winlogs sourcetype=dns
| eval Domain=replace(replace(questionname,"\(\d+\)","."),"\.(.*)\.","\1")
| join type=inner Domain
[| inputlookup baddomains
| table Domain]
Also, if it's ad-hoc search, Run in 'Fast Mode' instead of 'Verbose Mode'.
If you're not counting and just looking for presence, try a "dedup dottedquestion" just before the | search.
Can you share some sample pattern for questionname field?
Sure - apparently ms logs dns in “pascal style” string format. Showing the length of each next section in parens ending in (0).
(12)somecomputer(6)domain(3)com(0)
Defined in 4.1.2 of the RFC1035:
https://tools.ietf.org/html/rfc1035