This is not a question, rather I am sharing something that I discovered with a Splunk OnDemand support call. I thought I was a bit of a Splunk pro, but just goes to show there's always something to learn and this one was so simple it's a little embarrassing    Imagine you have a very large lookup with 5 million+ rows (in my case a KV store, containing an extract from Maxmind DB with some other internal references added). If you want to do a CIDR match on this, you set up a lookup definition with Match Type "CIDR(network)". Now run your query (IP address obfuscated in example)     | makeresults | eval ip4 = "127.0.0.1" | lookup maxmind network AS ip4     For me on Splunk Cloud, this takes around 50 seconds, and I contacted Splunk Support for some assistance in making this viable (50 seconds just way too high).   I already understood that the issue is that the cidrmatch has to run on every single row - I added a pre filter to my lookup definition and proved that with the pre filter it ran much much faster, but obviously that limited it's use to just the filtered rows.   I tried messing around with inputlookup, but couldn't get it any better     | inputlookup maxmind | where country_name="Japan" city_name="Osaka"     This still took the same ~50 seconds to run   Of course if I had of read the documentation properly, I would have seen that "where" is actually an argument of the inputlookup clause. Changing this to:     | inputlookup maxmind where country_name="Japan" city_name="Osaka"     Made all the difference - this now runs in 5-7 seconds as the WHERE clause is now running the same as if you had added the pre-filter to the lookup definition.   To use this in a search to enrich other data, you can use:     | makeresults | eval ip4 = "127.0.0.1" | appendcols [| inputlookup maxmind where country_name="Japan" city_name="Osaka"] | where cidrmatch(network, ip4)     Obviously, the tighter you can get your WHERE clause the faster this runs - you can also use accelerated fields in your lookup (if using KV store) to further enhance, this will depend entirely on your data and how you can filter it down to the smallest possible data set before continuing.   For me, using the same 5 million row KV store and maxmind data as my example     | makeresults | eval ip4 = "127.0.0.1" | appendcols [| inputlookup maxmind where country_name="Japan" city_name="Osaka" postal_code="541-0051" network_cidr="127.0.*"] | where cidrmatch(network, ip4)     runs in ~0.179 seconds [using actual IP address, not the fake one above]. Your mileage may vary, but I hope this helps someone else trying to figure this out. I haven't tried the same with a CSV lookup, but I imagine it would be very similar.

Hi i am new,  I have 2 excel documents, one containing firewall logs and the other containing Sys logs. how would i combine the data in splunk so i can view them on one page I want to compare when the firewall  was used (and its destination IP) to when FTP was used (from syslogs).   Thank you

Hello,   How do I effectively whitelist events like excessive failed logins, and abnormal new processes? These are known, non malicious issues in our network that generate a lot of hits that do not amount to anything upon extensive investigation. Thanks in advance.

Hi All, Our JSON payload looks like as shown below. The msg.details array can have any number key/value pairs in any order.     { "appName": "TestApp", "eventType": "Response", "msg": { "transId": "Trans1234", "status": "Success", "client": "clientXyz", "responseTime": 1650, "details": [ { "keyName": "returnUrl", "keyValue": "https://abc.com/onlineshop?prod=112&cat=1349" }, { "keyName": "customer", "keyValue": "xyz" } ], "url": "/v1/test" } }     I want to filter events using partial wildcard keyValue for a keyName in the array in the msg.details array. Your help is appreciated. Thanks. index=* appName="TestApp" msg.url="/v1/test" |  spath | search msg.details{}.keyName=returnUrl AND msg.details{}.keyValue!="*abc.com*" The search may include multiple keyValue filters in the array like this. Thanks. index=* appName="TestApp" msg.url="/v1/test" |  spath | search (msg.details{}.keyName=customer AND msg.details{}.keyValue!="xyz") AND (msg.details{}.keyName=returnUrl AND msg.details{}.keyValue!="*abc.com*")

Hi, Interested in knowing if  federated  search results from Splunk Cloud could be stored in a summary index located in a On-Premise Enterprise instance / cluster? The thought is this could allow to offload some high usage dashboards to On-Premise  and allow for data correlation with On-premise data.    Thank you  

I have installed the Custom Visualization - donut app version 1.0.3 on Splunk Enterprise version 8.2.9. It seems to work well out of the box, however i have a couple of problems. 1. The legend text disappears in dark mode. I have attempted to resolve using CSS, but so far I have been unsuccessful. 2. I have tried to "center" the donut viz in the panel, but have not been able to do so... it by default is always on the left. 3. I have been unable to find a list of the viz options for this can you supply please. Thanks  

Is there  a setting that stops the "AutomIatic lifetime extensions"  (https://docs.splunk.com/Documentation/Splunk/9.0.3/Search/Extendjoblifetimes) of scheduled searches? We have some dashboard with scheduled searches , refreshed every x time, that are mainly used during business hours. so we scheduled them for only the business hours.  Sometime someones need to look at the dash in the night.  To be sure, they see a recent result we changed the dispatch.ttl too 600 (normally its run every 5 minutes) . So if the last schedule would be @6 pm, the results should be gone @6:10 pm .   If someone opens the dash @ 8pm, there aren't any results, and the search should run again. Now the real problem, some people aren't closing the dashboard. So the last run (that was @ 6 pm) keeps getting extended!   So if someone else needs to take a look at the dashboard it's displaying the last run! So is there a setting to force the results to be deleted after x period?        

So far I can get the hosts and forwarder version, but I am unable to get the index the forwarders belong to: index="_internal" source="*metrics.lo*" group=tcpin_connections fwdType=uf | dedup hostname| table hostname,version,os How can I tie the above with the index that the hosts belong to?  

Hi, I have a use case where in i want to find out how many download api failed for a given document and how many out of the failed were successful after subsequent call I have no clue how to search this on splunk right now I am finding the failed ones using the below query  index=ty_ss “download/docIds?=“ “500”  | Rex “docId=(?<docId>.*)” | eval event_time = strftime() | table docIds, event_time

data stopped coming from vcenter to splunk. not sure which DCN is used to configure those Vcenter, could you please help for troubleshooting like how to  check for the error (which cause data to stopped coming). as well as how I can find out the DCN which is using to collect the data from Vcenter.