Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

What is the best way to do this in Splunk? Tags? Lookup or perhaps something else?

davidwaugh
Path Finder
‎01-29-2019 12:55 AM

Hello,

I have a complex search that I need to do.

An example is something like:

CONDITION=(ip.dst=lots of different IPs' && port=some interesting ports && ip.src != some more Ip's)

What I would like to know is when condition is true.

If I run this search over many events over a long period, then it will take a long time.

Is there anyway I can tag my events as they are being indexed so that I can do a search on CONDITION=True, so that searching just needs to lookup for some meta "CONDITION=true", rather than having to evaluate the whole condition against each event.

0 Karma
Reply

lakshman239
Influencer
‎01-29-2019 02:20 AM

Looking at your query at a high level, seems that your underlying data can be mapped to Network Traffic datamodel and if that can be mapped, you can get DM acceleration and use tstats to run search for a longer time window with little to minimal impact on resources.

0 Karma
Reply

chrisyounger
SplunkTrust
SplunkTrust
‎01-29-2019 01:26 AM

Hi @davidwaugh

So there are a few ways you could accomplish this (that I can think of):

  • INGEST_EVAL or creating Index-time meta tags: I don't think this is a great solution becuase it would be a bit of a headache maintaining the IPLIST etc in the props/transforms file.
  • Data Model acceleration - This would probably be my preference becuase it is can take care of data gaps by itself etc.

You could also maybe use a summary index or there are probably other good ways that people can think of.

Cheers,

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...