All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Splice searches running really slow

theouhuios
Motivator
‎04-10-2015 08:02 AM

Hello

We are running some splice searches to match on IOC's and they seem to be running very slow. We have a hybrid Splunk deployment with Indexers in Cloud and the Splice Search Head running ON Prem. Because of this we use |localop| in our searches so that Splice fetches all required components from the Search Head itself. Would this be a reason on why the searches run slow.

I am passing on an average about 400k events for a 10 min interval search if the search runs between 9 AM - 5PM. It takes about 20 min+ for splice to complete that search. Sometimes it just hangs up. Because of this its doesn't run on the schedule interval. Did anyone face the same issue?

The number of IOC's in Splice Mongo DB is about 115k now. We see the same slowness even when mongo db had only 40k records.

Has anyone faced this issue before. Any help would be appreciated.

Tags (1)
0 Karma
Reply

cleroux_splunk
Splunk Employee
Splunk Employee
‎04-13-2015 02:07 AM

SPLICE is a prototype and as any prototype, there are some limitations. One workaround would be to use the iocexportcsv command to create CSV lists of technical indicators that you would after refer via lookups or ES Threat List. And yes the command localop retrieve all the data the process it on the SH.

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...