About rafazurc

rafazurc · ‎04-13-2020

Hello @jpolvino. I ve added the print of mu job inspector results. What I m trying to achieve is. I have 2 sourcetypes one is the connection and the other collector. The fist one, the field I need to use is src, the second is name. So I m trying to check each event and if src is null consider the name. After that, I m formatting _time as date, and the SubnetName is a common field for both sourcetypes. The result I need is to list distinct src by each network by day. I really would like to optimize this search to reduce the search cost. I m checking the link you ve sent looking for more hints. Thanks

rafazurc · ‎04-13-2020

Hello @efavreau. As I have 2 sourcetype and one has src and other name. Does it work to add before the first pipe (src=* OR name=*) Thanks

rafazurc · ‎04-13-2020

Hello @richgalloway . To search the last 24hours (~200M events ) takes around 45 minutes. and generates ~80k Results. Thanks.

rafazurc · ‎04-13-2020

Hello Everyone. I m new to splunk and I have one search which is taking a bit longer than others. Is there any suggestion on how to improve this search ? index=mydatasource_* (sourcetype = x_connections OR sourcetype= x_collectors) engine="engine" Src_SubnetName = "vpn"| eval src= if(isnull(src),name, src) | eval Dates = _time | eval Src_SubnetName = Src_Sitename | convert timeformat="%Y-%m-%d" ctime(Dates) | stats dc(src) by src,Src_SubnetName, Dates

Posts	4
Solutions	0
Karma Given	0
Karma Received	0
Member Since	‎04-13-2020

Online Status	Offline
Date Last Visited	‎06-05-2020 02:03 AM

Speed Search Review

Re: Speed Search Review

Re: Speed Search Review

Re: Speed Search Review

Speed Search Review