Also remember that if you do manual extraction with the rex command and only then search on its results it will be much much slower than by simply searching the index because instead of finding the value in the index splunk has to pass every event through the regex extraction and only then find matching events.

Your question is a bit vague so I'm not sure what you want so please be a little more descriptive. But from what you wrote I assume that you do some comditional aggregation and want to "go back" to raw events fulfilling your conditions. You can't do that this way. Splunk "loses" all information not being explicitly passed from the command. So when you're doing the stats command only results of the stats command are available for further processing - the original events are no longer known in your pipeline. So you have to approach it differently. Probably adding some artificial "classifier" field or two but can't really say without knowing what exactly you want to achieve.

@akshada_s - If you are trying to run Splunk search from outside the script then jobs endpoint is usually the answer. Find more info here - https://docs.splunk.com/Documentation/Splunk/9.1.1/RESTTUT/RESTsearches   I hope this helps!!!

Hello, The first search does not work because ipv6 from the dropdown is in a compressed format from a different data source, while the ipv6 in the index is in not in a compressed format, so it has to go through a regex or function to convert it to a compressed format in the second search. Thank you for your help

and I want to identify IPs that do not belong to any of the IP address ranges in my results. Example : @karimoss - Do you want to print out all the possible IP addresses that are not in your result? * How is d.e.f.g IP different from other IPs in the result set? Is it the only IP with a different subnet? * Are you looking to find subnet vise?

I try that the app is work but have some issues such as cannot collect all data during a period that may related to data size in elk. finally, I use api connection to get the data as a csv and use Splunk to collect the data.

Hi @sohrab_keramat, I know that in the logs there isn't the information on the system that a log is passed through, so how can you say that a log is sent to an HF and it isn't sent to the Indexers? maybe you're sending log from the missed device only to one HF? have you other logs (e.g. Splunk internal logs) from that HF? did you tried to sen logs from that device to other HFs? did you checked the configurations on the HF to input logs from that device? Ciao. Giuseppe

I get the feeling that optimization is the least of your problem here. I am trying to implement a behavioral rule, that checks if an ip was used in the last 7 days or not. ... [search index=<index>operationName="Sign-in activity" earliest=-7d@d | ...]     It is just unclear what "used in the last 7 days" really mean because your mock code only constraints earliest.  The default latest is now().  So, that mock code (if not for the code error that @bowesmana pointed out) would have been exactly the same as if the main search starts at earliest=-7d@d latest=now.  In other words, you would have picked up everything from the beginning of the start of 7th day back to now().  There would have been no "false". @bowesmana interpreted your intention as thus: starting 7th day back, determine whether an IP address that appears in the current day had also appeared in the earlier days.  Is this the correct interpretation? If that is the requirement, the following should make the distinction. index=<index> operationName="Sign-in activity" NOT body.properties.deviceDetail.displayName=* earliest=-7d@d ```latest=now``` | eval history = if(_time < relative_time(now(), "@d"), "today", "past7") | stats values(history) as is_historical count by ipAddress | where is_historical == "today" ``` shorthand for "today" IN is_historical ``` | eval is_historical = if(is_historical == "past7", "true", "false")  

Maybe you can first answer the question why does the first search not satisfy your need?  In other words, what is that rex is supposed to accomplish?  If your data look like the following: _raw _time ip foo 1.1.1.1 bar 2023-09-23 00:44:01 1.1.1.1 foo 2.2.2.2 bar 2023-09-23 00:44:01 2.2.2.2 foo 2001:db8:3333:4444:5555:6666::2101 bar 2023-09-23 00:44:01 2001:db8:3333:4444:5555:6666::2101 foo 2001:db8:3333:4444:5555:6666::2102 bar 2023-09-23 00:44:01 2001:db8:3333:4444:5555:6666::2102 ip="$ip_token$" should pick up the correct event whether $ip_token$ is 1.1.1.1 (IPv4) or 2001:db8:3333:4444:5555:6666::2101 (IPv6).  What am I missing here?

Splunk commandment #3: Whenever you have the urge to join, purge that thought and restate the problem in clear terms. Based on the mock codes, your two subsearches contain the exact same terms except one is one hour shorter than the other; the stats is also exactly the same except field name of the output.  I sense that the problem you are trying to solve is this: count unique dest_location-dest_ip combinations by src_ip in the two time intervals.  Is this correct? The following is a transliteration of the requirement.   index=<index1> src_ip IN (<srcvalues>) AND dest_ip!=<ipvalues> NOT dest_location IN ("<locvalues>") earliest=-24h ```latest=now``` | stats dc(if(_time < relative_time(now(), "-1h"), dest_location . "-" . dest_ip, null())) as oldconnections dc(eval(dest_location . "-" . dest_ip)) as allconnections by src_ip   It only performs one index search covering one time interval.  This is a lot more efficient than union on two largely overlapping subsearches.