Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Search never finishes

rgcox1
Communicator
‎07-13-2011 10:46 AM

I'm trying to run a search for a large number (45) of suspect IP addresses. The search runs for 12 hours or more but never returns any results, and on the jobs page always shows "Running (0%)".

earliest=06/01/2011:0:0:0 NOT deny ("112.64.161.162" OR "113.142.9.125" OR "118.102.252.227" OR . . . ) |outputcsv 201107111.csv

Using outputcsv because I'm expecting more than 10K results based on individual searches on some of the addresses.

I know this is an inefficient and expensive search, but it seems that it should eventually complete.

Tags (1)
0 Karma
Reply

fk319
Builder
‎07-21-2011 01:36 PM

A guy I work with changed the ("IP....s") to the next stage and did a regex he was fortunate that all his IPs where near the same area.

<search> | regex _raw="10.(8.(43.5|52.4)|9.(232.4|144.(4|33))" | <presentation>

he is good with RegEx and the above is easy to add an remove, for those who can read it.

0 Karma
Reply

rgcox1
Communicator
‎07-14-2011 07:14 AM

Run from the cli without the outputcsv pipe, the search finishes in a few minutes, but results are incomplete due to the "head 100" that is appended by dispatch.

With the outputcsv pipe the search has now run 14 hours with no results.

0 Karma
Reply

rgcox1
Communicator
‎07-13-2011 12:04 PM

Comes back in about 10 seconds with no results when run with search command and saved search. When run with the full search string via the dispatch command . . . still processing. I see on the jobs page that "| head 100 | export" has been added to the search? Will post results tomorrow or when finished.

0 Karma
Reply

jbsplunk
Splunk Employee
Splunk Employee
‎07-13-2011 11:03 AM

If you run the search on the cli, does it behave any differently?

0 Karma
Reply
Get Updates on the Splunk Community!

Accelerating Observability as Code with the Splunk AI Assistant

We’ve seen in previous posts what Observability as Code (OaC) is and how it’s now essential for managing ...

Integrating Splunk Search API and Quarto to Create Reproducible Investigation ...

 Splunk is More Than Just the Web Console For Digital Forensics and Incident Response (DFIR) practitioners, ...

Congratulations to the 2025-2026 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...