Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Why is my stats by command so slow and how can I speed it up for longer time intervals?

timbCFCA
Path Finder
‎09-20-2017 11:56 AM

I'm working on some statistics related queries. I'm trying to get the security id, date and count of hosts connected to.

index=wineventlog sourcetype="WinEventLog:Security" 4624 |
fields host,Security_ID,_time  | 
bucket _time span=1d | 
stats dc(host) by Security_ID, _time

They work perfectly until I start adding Security_ID. With no by command or only based on time it's fast.

I also tried to do a dedup Security_ID, _time, host before the stats dc command but it didn't help the overall speed.

It takes well over 10 minutes to complete this search for a week, and I'd like to be able to run this for 30 60 or 90 days. What do I need to do for that to be viable?

Reply

lfedak_splunk
Splunk Employee
Splunk Employee
‎09-21-2017 04:08 PM

Heya @timbCFCA, if DalJeanis solved your problem, please don't forget to accept an answer! You can upvote posts as well. (Karma points will be awarded for either action.) Happy Splunking!

0 Karma
Reply

worshamn
Contributor
‎09-20-2017 07:26 PM

Seems puzzling, I do see that Security_ID gets used as a source key several times in transforms.conf in the TA, I wonder if that causes any overhead. Maybe try specifying EventCode=4624 so that it isn't searching through all fields looking for 4624.

0 Karma
Reply

DalJeanis
SplunkTrust
SplunkTrust
‎09-20-2017 12:33 PM

How often are you running the search? If you are running it fairly often, then you might consider a summary index so you don't have to re-spin the whole search multiple times a day.

Try this - 

 index=wineventlog sourcetype="WinEventLog:Security" 4624 
| fields host, Security_ID, _time  
| eval _time=floor(_time/86400)*86400
| dedup host,Security_ID,_time
| stats dc(host) by Security_ID, _time

Explanation -

eval is streaming and distributed, while bin is not. This way, the binning can be done at the individual indexers.

Try it with and without the dedup and see what happens.

Reply

timbCFCA
Path Finder
‎09-25-2017 06:31 AM

@DalJeanis not really. It did let me save as an accelerated search which helps.

Reply

DalJeanis
SplunkTrust
SplunkTrust
‎09-26-2017 02:14 PM

@timbCFCA - Well, that's a decent consolation prize.

Did you try it without the dedup, which is redundant with the dc()?

0 Karma
Reply

DalJeanis
SplunkTrust
SplunkTrust
‎09-25-2017 06:29 AM

@timbCFCA - Did this change the run time at all?

Reply
Get Updates on the Splunk Community!

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...