Splunk Search

Is there any effective way to improve the speed of my search to fetch details of all eventtypes and their source?

SridharS
Path Finder

Hi,

I need to fetch the details of all the eventtypes and their source through a search. I use the search below, but it takes a very long time to complete a search (say more than 30 mins). Is there any effective way to improve the speed of my search? The search I am using is:

eventtype=* | dedup eventtype| table eventtype, source | sort eventtype 
0 Karma
1 Solution

MuS
SplunkTrust
SplunkTrust

Hi SridharS,

Yes there is. You can call the REST endpoint for the eventtypes.conf and display them using this REST search:

| rest /services/configs/conf-eventtypes | rex field=id "(?<EventType>[^/]+$)" | rex field=search "(?<Source>source=.+)" | table EventType Source

Maybe you need to adapt the rex for the Source field, but it should give you a fester search to start with.

cheers, MuS

View solution in original post

SridharS
Path Finder

This gave me the exact result what i was looking for

| rest /services/configs/conf-eventtypes | table title search | rex field=search "(?source=.+)" | rename title as EventType | dedup EventType | table EventType search

MuS
SplunkTrust
SplunkTrust

Hi SridharS,

Yes there is. You can call the REST endpoint for the eventtypes.conf and display them using this REST search:

| rest /services/configs/conf-eventtypes | rex field=id "(?<EventType>[^/]+$)" | rex field=search "(?<Source>source=.+)" | table EventType Source

Maybe you need to adapt the rex for the Source field, but it should give you a fester search to start with.

cheers, MuS

SridharS
Path Finder

Hi MuS, This is what I was actually looking for. On the other hand i have some eventtype names with space inbetween. I tried changing the above query for this, but I did not get through. My eventtype has a-z, 0-9 and - minus symbols. And also when I do the above query due to space error am not able to view source.

0 Karma

somesoni2
SplunkTrust
SplunkTrust

This should get you what you want.

| rest /services/configs/conf-eventtypes | table title search | rex field=search "(?<Source>source=.+)" | rename title as EventType | table EventType Source

SridharS
Path Finder

That was perfect. I got the eventtype list exactly(without space concern). But I am not sure why the source miss again. When I did a normal search query i got all the source path, but here am just getting "/splunkd_access.log OR source=\\splunkd_access.log" as source path for 6 or 7 events, the rest 190+ eventtypes not displaying source.

0 Karma

MuS
SplunkTrust
SplunkTrust

This REST search will return your eventtype definition and does not run any eventtype searches, that's why you will only get a source string, if the eventtype definition contains a source string.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...