Splunk Search

How to search the last 90 days of BlueCoat logs for the top 100 websites?

OD_jfraher
New Member

This is the criteria I'm using:

index=bcoat_logs sc_filter_result!=DENIED cs_host!="-" | stats count(cs_host) by cs_host | sort -count(cs_host) 

which lists all websites users are hitting, but this search takes forever to run.

I was hoping to limit results to top 100 websites with highest hit counts in order to speed up the search.

I'm a bit of a newb and could use some help.

0 Karma

lguinn2
Legend

One reason for the slowness is that you are using "not equal to" as a criteria. In general, whenever you use NOT, Splunk ends up doing a serial search and that is slow. Is there a way that you could search like this instead?

index=bcoat_logs sc_filter_result=ALLOWED cs_host!="-"

Also, the following will get the top 100 results - but note that Splunk must count them all before it can determine the top 100. Also, you don't need count(cs_host) - just count will work - although that doesn't save time either.

index=bcoat_logs sc_filter_result=ALLOWED cs_host!="-" 
| stats count by cs_host 
| sort 100 -count

Are there any other criteria that you could use to filter the search as well? sourcetype?

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...