Splunk Search

Search never finishes

rgcox1
Communicator

I'm trying to run a search for a large number (45) of suspect IP addresses. The search runs for 12 hours or more but never returns any results, and on the jobs page always shows "Running (0%)".

earliest=06/01/2011:0:0:0 NOT deny ("112.64.161.162" OR "113.142.9.125" OR "118.102.252.227" OR . . . ) |outputcsv 201107111.csv

Using outputcsv because I'm expecting more than 10K results based on individual searches on some of the addresses.

I know this is an inefficient and expensive search, but it seems that it should eventually complete.

Tags (1)
0 Karma

fk319
Builder

A guy I work with changed the ("IP....s") to the next stage and did a regex he was fortunate that all his IPs where near the same area.

<search> | regex _raw="10.(8.(43.5|52.4)|9.(232.4|144.(4|33))" | <presentation>

he is good with RegEx and the above is easy to add an remove, for those who can read it.

0 Karma

rgcox1
Communicator

Run from the cli without the outputcsv pipe, the search finishes in a few minutes, but results are incomplete due to the "head 100" that is appended by dispatch.

With the outputcsv pipe the search has now run 14 hours with no results.

0 Karma

rgcox1
Communicator

Comes back in about 10 seconds with no results when run with search command and saved search. When run with the full search string via the dispatch command . . . still processing. I see on the jobs page that "| head 100 | export" has been added to the search? Will post results tomorrow or when finished.

0 Karma

jbsplunk
Splunk Employee
Splunk Employee

If you run the search on the cli, does it behave any differently?

0 Karma
Get Updates on the Splunk Community!

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Survey for Splunk Admins and App Developers is open now! | Earn a $35 gift card!      Hello there,  Splunk ...

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...