Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Search efficiency question

responsys_cm
Builder
‎06-07-2012 01:38 PM

We've got a search that looks for suspicious data from a large number of netblocks. That search looks like: index=product AND src_ip="1.1.1.0/24" OR src_ip="2.2.2.0/24"...

There are dozens of them. That search is pretty fast considering the number of events we have. I would like to manage that search with a lookup table since I've created forms that make it easy to add or remove address ranges from the lookup table.

But if I search on all events from index=product and then do a lookup on that table and filter by events that match the table, the search is incredibly slow.

Is it possible to populate the src_ip=x OR src_ip=y OR src_ip=z for each entry in the lookup table? Or is there another way of implementing this that will be faster?

Thx.

Craig

Tags (1)
Reply
1 Solution
Solved! Jump to solution
Solution

dwaddle
SplunkTrust
SplunkTrust
‎06-07-2012 09:05 PM

Well, if you have the set of src_ip values in a lookup table already, then (up to a limit) this should be doable with a subsearch and inputlookup. Assuming your lookup is formatted like this:

src_ip
1.1.1.0/24
2.2.2.0/24

then a search like this ought to work:

index=product [ | inputlookup netblocks.csv | fields src_ip ]

The subsearch will populate the outer search with a sequence of AND'ed and OR'ed values coming from the results of the subsearch. There is a limit to the subsearch, however, to around 10,000 values. This is probably a limit than can be increased some, but it may not be possible to make it arbitrarily large.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

dwaddle
SplunkTrust
SplunkTrust
‎06-07-2012 09:05 PM

Well, if you have the set of src_ip values in a lookup table already, then (up to a limit) this should be doable with a subsearch and inputlookup. Assuming your lookup is formatted like this:

src_ip
1.1.1.0/24
2.2.2.0/24

then a search like this ought to work:

index=product [ | inputlookup netblocks.csv | fields src_ip ]

The subsearch will populate the outer search with a sequence of AND'ed and OR'ed values coming from the results of the subsearch. There is a limit to the subsearch, however, to around 10,000 values. This is probably a limit than can be increased some, but it may not be possible to make it arbitrarily large.

0 Karma
Reply
Solved! Jump to solution

dwaddle
SplunkTrust
SplunkTrust
‎06-13-2012 12:24 PM

It is a function of the lookup you provide and the use of the "format" search command. Basically, each "row" of the lookup is surrounded by an OR, and each "column" within the lookup is surrounded by an AND. So, a lookup with the tuples (foo,green,4),(bar,red,7),(baz,yellow,5) will produce ( ( foo AND green AND 4 ) OR ( bar AND red AND 7 ) OR ( baz AND yellow AND 5 ) )

0 Karma
Reply
Solved! Jump to solution

responsys_cm
Builder
‎06-13-2012 11:00 AM

How can it populate the outer search with both AND'ed and OR'ed values? Does it search for both? How can I force it to use one or the other?

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing Splunk Enterprise 9.2

WATCH HERE! Watch this Tech Talk to learn about the latest features and enhancements shipped in the new Splunk ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...