Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

What is the best way to do this in Splunk? Tags? Lookup or perhaps something else?

davidwaugh
Path Finder
‎01-29-2019 12:55 AM

Hello,

I have a complex search that I need to do.

An example is something like:

CONDITION=(ip.dst=lots of different IPs' && port=some interesting ports && ip.src != some more Ip's)

What I would like to know is when condition is true.

If I run this search over many events over a long period, then it will take a long time.

Is there anyway I can tag my events as they are being indexed so that I can do a search on CONDITION=True, so that searching just needs to lookup for some meta "CONDITION=true", rather than having to evaluate the whole condition against each event.

0 Karma
Reply

lakshman239
Influencer
‎01-29-2019 02:20 AM

Looking at your query at a high level, seems that your underlying data can be mapped to Network Traffic datamodel and if that can be mapped, you can get DM acceleration and use tstats to run search for a longer time window with little to minimal impact on resources.

0 Karma
Reply

chrisyounger
SplunkTrust
SplunkTrust
‎01-29-2019 01:26 AM

Hi @davidwaugh

So there are a few ways you could accomplish this (that I can think of):

  • INGEST_EVAL or creating Index-time meta tags: I don't think this is a great solution becuase it would be a bit of a headache maintaining the IPLIST etc in the props/transforms file.
  • Data Model acceleration - This would probably be my preference becuase it is can take care of data gaps by itself etc.

You could also maybe use a summary index or there are probably other good ways that people can think of.

Cheers,

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Community Content Calendar, September edition

Welcome to another insightful post from our Community Content Calendar! We're thrilled to continue bringing ...

Splunkbase Unveils New App Listing Management Public Preview

Splunkbase Unveils New App Listing Management Public PreviewWe're thrilled to announce the public preview of ...

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Are you leveraging automation to its fullest potential in your threat detection strategy?Our upcoming Security ...