Optimize Nested Search

antb · ‎08-07-2019

This search is slow (our dns logs are large).

index=winlogs sourcetype=dns | eval dottedquestion=replace(replace(questionname,"\(\d+\)","."),"\.(.*)\.","\1") | search [| inputlookup baddomains | return 10000 dottedquestion=Domain]

Outside of shrinking the time window (I am not interested in going under 24 hours) is there anyway to optimize it? The baddomains list is very small (<1000)

Thank you in advance.

jawaharas · ‎08-08-2019

Probably join might help you.

index=winlogs sourcetype=dns 
| eval Domain=replace(replace(questionname,"\(\d+\)","."),"\.(.*)\.","\1") 
| join type=inner Domain 
    [| inputlookup baddomains 
    | table Domain]

Also, if it's ad-hoc search, Run in 'Fast Mode' instead of 'Verbose Mode'.

jpolvino · ‎08-08-2019

If you're not counting and just looking for presence, try a "dedup dottedquestion" just before the | search.

jawaharas · ‎08-07-2019

Can you share some sample pattern for questionname field?

antb · ‎08-08-2019

Sure - apparently ms logs dns in “pascal style” string format. Showing the length of each next section in parens ending in (0).

(12)somecomputer(6)domain(3)com(0)

Defined in 4.1.2 of the RFC1035:
https://tools.ietf.org/html/rfc1035

Optimize Nested Search

Upcoming Webinar: Unmasking Insider Threats with Slunk Enterprise Security’s UEBA

.conf25 technical session recap of Observability for Gen AI: Monitoring LLM ...

A Season of Skills: New Splunk Courses to Light Up Your Learning Journey

Join the Conversation

Optimize Nested Search

Upcoming Webinar: Unmasking Insider Threats with Slunk Enterprise Security’s UEBA

.conf25 technical session recap of Observability for Gen AI: Monitoring LLM ...

A Season of Skills: New Splunk Courses to Light Up Your Learning Journey