Re: Optimize Nested Search

antb · ‎08-07-2019

This search is slow (our dns logs are large).

index=winlogs sourcetype=dns | eval dottedquestion=replace(replace(questionname,"\(\d+\)","."),"\.(.*)\.","\1") | search [| inputlookup baddomains | return 10000 dottedquestion=Domain]

Outside of shrinking the time window (I am not interested in going under 24 hours) is there anyway to optimize it? The baddomains list is very small (<1000)

Thank you in advance.

jawaharas · ‎08-08-2019

Probably join might help you.

index=winlogs sourcetype=dns 
| eval Domain=replace(replace(questionname,"\(\d+\)","."),"\.(.*)\.","\1") 
| join type=inner Domain 
    [| inputlookup baddomains 
    | table Domain]

Also, if it's ad-hoc search, Run in 'Fast Mode' instead of 'Verbose Mode'.

jpolvino · ‎08-08-2019

If you're not counting and just looking for presence, try a "dedup dottedquestion" just before the | search.

jawaharas · ‎08-07-2019

Can you share some sample pattern for questionname field?

antb · ‎08-08-2019

Sure - apparently ms logs dns in “pascal style” string format. Showing the length of each next section in parens ending in (0).

(12)somecomputer(6)domain(3)com(0)

Defined in 4.1.2 of the RFC1035:
https://tools.ietf.org/html/rfc1035

Optimize Nested Search

The All New Performance Insights for Splunk

Good Sourcetype Naming

See your relevant APM services, dashboards, and alerts in one place with the updated ...

Are you a member of the Splunk Community?

Optimize Nested Search

The All New Performance Insights for Splunk

Good Sourcetype Naming

See your relevant APM services, dashboards, and alerts in one place with the updated ...