Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Search never finishes

rgcox1
Communicator
‎07-13-2011 10:46 AM

I'm trying to run a search for a large number (45) of suspect IP addresses. The search runs for 12 hours or more but never returns any results, and on the jobs page always shows "Running (0%)".

earliest=06/01/2011:0:0:0 NOT deny ("112.64.161.162" OR "113.142.9.125" OR "118.102.252.227" OR . . . ) |outputcsv 201107111.csv

Using outputcsv because I'm expecting more than 10K results based on individual searches on some of the addresses.

I know this is an inefficient and expensive search, but it seems that it should eventually complete.

Tags (1)
0 Karma
Reply

fk319
Builder
‎07-21-2011 01:36 PM

A guy I work with changed the ("IP....s") to the next stage and did a regex he was fortunate that all his IPs where near the same area.

<search> | regex _raw="10.(8.(43.5|52.4)|9.(232.4|144.(4|33))" | <presentation>

he is good with RegEx and the above is easy to add an remove, for those who can read it.

0 Karma
Reply

rgcox1
Communicator
‎07-14-2011 07:14 AM

Run from the cli without the outputcsv pipe, the search finishes in a few minutes, but results are incomplete due to the "head 100" that is appended by dispatch.

With the outputcsv pipe the search has now run 14 hours with no results.

0 Karma
Reply

rgcox1
Communicator
‎07-13-2011 12:04 PM

Comes back in about 10 seconds with no results when run with search command and saved search. When run with the full search string via the dispatch command . . . still processing. I see on the jobs page that "| head 100 | export" has been added to the search? Will post results tomorrow or when finished.

0 Karma
Reply

jbsplunk
Splunk Employee
Splunk Employee
‎07-13-2011 11:03 AM

If you run the search on the cli, does it behave any differently?

0 Karma
Reply
Get Updates on the Splunk Community!

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...

Cloud Platform & Enterprise: Classic Dashboard Export Feature Deprecation

As of Splunk Cloud Platform 9.3.2408 and Splunk Enterprise 9.4, classic dashboard export features are now ...