Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Running search for 1000s of IOCs at once?

Samantha
Engager
‎09-10-2024 11:17 AM

I would like to create a dashboard which would run a search daily to check network traffic against a list of about 18,000 IP address. 

We created a lookup table with all the IP addresses and ran it, but the search times out. Then we tried to split the lookup tables into 8 different tables and each table was a panel in our dashboard. A few dashboards will run when we do it this way, but then the rest time out. 

An idea we had was to either create a drop down tab to only run the searches when we specify, or create a search that runs one lookup table and then will only start the next search when the other stops. 

Is there a simpler way to do this? Ideally it would all be one search but it just seems to be too much for our resources.

 

Labels (1)
Labels
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎09-10-2024 11:25 PM

Hi @Samantha ,

as also @PickleRick and @ITWhisperer said, this seems to be a job for a scheduled report.

If you want a dashboard, you could schedule a search (e.g. as an alert) running your search and sabing aggregated results in a summary index, then you could run the searches of your dashboard on this summary index.

Ciao.

Giuseppe

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎09-10-2024 01:32 PM

It depends on a use case. What and how you're searching.

Are you trying to search raw data or summarized datamodel? Are you using that lookup to generate search terms using a subsearch or are you using the lookup command? What amount of data are we talking about?

 

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎09-10-2024 11:37 AM

You could set up some scheduled reports to run on partial sets of addresses, then load the results from the searches in your dashboard. This assumes you can work with out of date data e.g. your report is based on yesterday's data and you don't need the very latest data.

Alternatively, as you said, you could "chain" your searches based on when a search completes, set a token which the next search is waiting for, and so on. (This is easier to do in SimpleXML, but still possible in Studio.)

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...