Re: How to make this search faster

DanAlexander · ‎09-21-2023

Hello, community

I am trying to identify ways to make this search faster:

index=Win_Logs EventCode IN (528,540,4624) AND user IN (C*,W*,X*)
| dedup user
| timechart span=1w dc(user) as Users

Anything tstats or metasearch, metadata?

Thanks in advance

bowesmana · ‎09-21-2023

If your raw data has data like

blablabla...EventCode=528,blablabla

then you can use

index=Win_Logs TERM(EventCode=528) OR 
               TERM(EventCode=540) OR 
               TERM(EventCode=4624) AND user IN (C*,W*,X*) 
| timechart span=1w dc(user) as Users

You probably don't need the dedup - it's unnecessary as the dc() is doing that anyway.

Also if the raw data has user=BLA... then you could also do TERM(user=C*) ..

Note that for term searches, the raw data MUST have those terms. If you look at the lispy in the search log, you will see different lispy for the TERM() variants and the non TERM variants.

isoutamo · ‎09-22-2023

Here is one .conf presentation about using TERM and PREFIX https://conf.splunk.com/files/2021/slides/TRU1133B.pdf
There are also couple of other which you should read to full understand what TERM actually means and how to use it.

isoutamo · ‎09-21-2023

Hi
Have you defined any data model for this? That probably help you?
R. Ismo

DanAlexander · ‎09-21-2023

@isoutamothanks for the tip. Unfortunately, I have no datamodels I can use ATM

Regards,

How to make this search faster

chart

eval

stats

table

timechart

tstats

A Guide To Cloud Migration Success

Join Us for Splunk University and Get Your Bootcamp Game On!

.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!