Splunk Search

Search very slow

chengyu
Path Finder

Hi, my search:

I'm try fast mode but status the same, My Splunk OS 5.04.

Please help me, thanks.

index="xxx" srcip !="1.1.1.1" srcip != "2.2.2.2" srcip != "3.3.3.3" dstip != "111..." dstip !="112.1.1." dstip != "163.1.1." dstip != "10.1.1." | eval bandwidth=rcvdbyte+sentbyte | eval bandwidth(MB) = round(bandwidth/1024/1024,2) | strcat " " time " " as Date | eval n = coalesce(hostname, host_name) |strcat " " n url " " as weburl |stats sum(bandwidth(MB)) as bandwidth(MB) values(srcip) as srcip values(service) as service values(attack) as app last(Date) as FirstDate first(Date) as LastDate values(policyid) as policyid values(weburl) as weburl by dstip |sort 10 search srcip="123.123.123.123" |head 10

Tags (1)
0 Karma

MuS
SplunkTrust
SplunkTrust

Hi chengyu,

try to build the search command in a manner, that it will search for events you will need instead of excluding what you don't need. Change your provided search example like this:

index="xxx" srcip="123.123.123.123" dstip != "111..."  dstip !="112.1.1." dstip != "163.1.1." dstip != "10.1.1." | eval bandwidth=rcvdbyte+sentbyte | eval bandwidth(MB) = round(bandwidth/1024/1024,2) | strcat " " time " " as Date | eval n = coalesce(hostname, host_name) | strcat " " n url " " as weburl | stats sum(bandwidth(MB)) as bandwidth(MB) values(srcip) as srcip values(service) as service values(attack) as app last(Date) as FirstDate first(Date) as LastDate  values(policyid) as policyid values(weburl) as weburl by dstip | sort 10 |head 10

a note form the docs about search operators:

Note: Inclusion is generally better than exclusion. Searching for "access denied" will yield faster results than NOT "access granted".

You can go further and tune the dstip filters to reduce the !=

hope this helps ...

cheers, MuS

Get Updates on the Splunk Community!

Synthetic Monitoring: Not your Grandma’s Polyester! Tech Talk: DevOps Edition

Register today and join TekStream on Tuesday, February 28 at 11am PT/2pm ET for a demonstration of Splunk ...

Instrumenting Java Websocket Messaging

Instrumenting Java Websocket MessagingThis article is a code-based discussion of passing OpenTelemetry trace ...

Announcing General Availability of Splunk Incident Intelligence!

Digital transformation is real! Across industries, companies big and small are going through rapid digital ...