- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How to clone monthly reports from my current searc...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi All,
I've got this search string
index=my_index sourcetype=my_sourcetype host=hostname ((signature_number=1) OR (signature_number=2)) ((dest_ip=192.168.0.0/16) OR (src_ip=192.168.0.0/16))
saved as Report 0. From this, I want to clone the following monthly reports:
Report 1 - signature 1 and dest_ip
- Top 10 dest_ip
- Top 10 src_ip
Report 2 - signature 1 and src_ip
- Top 10 dest_ip
- Top 10 src_ip
Report 3 - signature 2 and dest_ip
- Top 10 dest_ip
- Top 10 src_ip
Report 4 - signature 2 and src_ip
- Top 10 dest_ip
- Top 10 src_ip
I am unable to decide based on my Splunk knowledge if it is better to do
index=my_index sourcetype=my_sourcetype host=hostname ((signature_number=1) OR (signature_number=2)) ((dest_ip=192.168.0.0/16) OR (src_ip=192.168.0.0/16)) | where signature_number=1 AND dest_ip=192.168.0.0/16
or
index=my_index sourcetype=my_sourcetype host=hostname signature_number=1 dest_ip=192.168.0.0/16
I think it should be the first case and not the second case. Also, I'm not certain if the first case syntax is correct. Since I'm searching Report 0, I think I should be able to do this
List of Report 0 Events | where signature_number=1 AND dest_ip=192.168.0.0/16
but if so, I haven't found anything showing how to do it.
TIA
Joe
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello! I think the second one index=my_index sourcetype=my_sourcetype host=hostname signature_number=1 dest_ip=192.168.0.0/16, is your best query, because it will take a small time to accomplish than the first one.
And, i'm not yet sure that your last option(call a report, and then modify it ) is possible with splunk.
Thanks
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
try like this:
- Report 1 - signature 1 and dest_ip
index=my_index sourcetype=my_sourcetype host=hostname signature_number=1 | top limit=10 dest_ip
or
index=my_index sourcetype=my_sourcetype host=hostname signature_number=1 | top limit=10 src_ip
Report 3 - signature 2 and dest_ip
index=my_index sourcetype=my_sourcetype host=hostname signature_number=2 | top limit=10 dest_ip
orindex=my_index sourcetype=my_sourcetype host=hostname signature_number=2 | top limit=10 src_ip
............
..........
tek this as your base of query index=my_index sourcetype=my_sourcetype host=hostname signature_number=...
because when you filter with dest_ip=192.168.0.0/16 is no work good. and after your pipe with top command , it is no work fine.
srry for my english.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello! I think the second one index=my_index sourcetype=my_sourcetype host=hostname signature_number=1 dest_ip=192.168.0.0/16, is your best query, because it will take a small time to accomplish than the first one.
And, i'm not yet sure that your last option(call a report, and then modify it ) is possible with splunk.
Thanks
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Maybe. I might be thinking about it incorrectly. I'm thinking of it as a large monthly data set that requires 1 search instead of 4 smaller data sets that require 4 searches. Since this deals with optimization I'm not certain which is the best option.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Please let me know exactly what you want to do!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
My apologies. I misread your reply. So for optimization it is better to run 4 small reports rather than one large report that has all the data of the 4 small reports? Seems counter intuitive, but if the results of the large sense can't be fed into a where clause makes sense.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ok. That is how your qury works.
First the firs part of the query : index=my_index sourcetype=my_sourcetype host=hostname ((signature_number=1) OR (signature_number=2)) ((dest_ip=192.168.0.0/16) OR (src_ip=192.168.0.0/16))
will find all the events where:
1. signature_number=1 and dest_ip=192.168.0.0/16
2. signature_number=1 and src_ip=192.168.0.0/16
3. signature_number=2 and dest_ip=192.168.0.0/16
4. signature_number=2 and src_ip=192.168.0.0/16
Let suppose that the search will take 2min to accomplish.
The second part of your search | where signature_number=1 AND dest_ip=192.168.0.0/16 will come and filter all the events you received wif the first part of the query, to give only events where signature_number=1 and dest_ip=192.168.0.0/16
let suppose the filter will take 1min.
2min+1min=3min
Now the second query: index=my_index sourcetype=my_sourcetype host=hostname signature_number=1 dest_ip=192.168.0.0/16 will return only events that you need.That query is more efficient than the first one.
To have your large sense rusult it will be better that you do something like this:
index=my_index sourcetype=my_sourcetype host=hostname signature_number=1 (dest_ip=192.168.0.0/16 OR src_ip=192.168.0.0/16)
Join Us for Splunk University and Get Your Bootcamp Game On!
.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!
Announcing Scheduled Export GA for Dashboard Studio
