Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Why is IP address Searching/Matching so slow?

FanaticWorks
Explorer
‎11-18-2016 04:09 AM

I have a datasource with a field that is either a url or an ip address. There are 2million records in this datasource.

If i do a search for a URL the response time is quite good.

index=sandbox | location=www.domain.co.uk

But if I do a search for an IP address it is very slow.

index=sandbox | location=192.168.1.1

As both searches have to go through the same amount of data, why the difference?

Is there an alternative/faster way for me to search IP addresses?

The fields is defined in the source type so is handled at ingestion/indexing time not at search.

Reply
1 Solution
Solved! Jump to solution
Solution

PPape
Contributor
‎11-18-2016 04:25 AM

you could use the TERM() search operator.

Search with TERM() as described here

You can use the TERM() directive to force Splunk software to match whatever is inside the parentheses as a single term in the index. TERM is more useful for cases where the term contains minor segmenters, such as periods and commas, and is bounded by major segmenters, such as spaces or commas. In fact, TERM does not work for terms that are not bounded by major breakers.

Hope that helps

View solution in original post

Reply
Solved! Jump to solution
Solution

PPape
Contributor
‎11-18-2016 04:25 AM

you could use the TERM() search operator.

Search with TERM() as described here

You can use the TERM() directive to force Splunk software to match whatever is inside the parentheses as a single term in the index. TERM is more useful for cases where the term contains minor segmenters, such as periods and commas, and is bounded by major segmenters, such as spaces or commas. In fact, TERM does not work for terms that are not bounded by major breakers.

Hope that helps

Reply
Solved! Jump to solution

FanaticWorks
Explorer
‎11-22-2016 12:51 AM

That worked perfectly....

As a guide to performance improvement; I used TERM on an IP search for a source type with 6+ million domains/IPs/urls.

Old Way:      index=test field1=192.168.1.1                    4 minutes 24 seconds
Term Way:     index=test field1=TERM(192.168.1.1)              0 Seconds!!!

And searching for URLs and Domains improved also...

Many thanks!

0 Karma
Reply
Solved! Jump to solution

ridwanahmed
Path Finder
‎03-09-2020 01:46 PM

From docs link text

However, searching for TERM(127.0.0.1) fails for data that looks like this:
ip=127.0.0.1 - user=admin

This is because the equal symbol ( = ) is a minor breaker, not a major breaker. Additionally, the IP address portion of the event is indexed as: ip, 127, 0, 1, and ip=127.0.0.1. You are looking for 127.0.0.1, which is not an indexed term.

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain

Boston may be buzzing this September with Splunk University and .conf25, but you don’t have to pack a bag to ...

Splunk Lantern’s Guide to The Most Popular .conf25 Sessions

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Unlock What’s Next: The Splunk Cloud Platform at .conf25

In just a few days, Boston will be buzzing as the Splunk team and thousands of community members come together ...