This is the criteria I'm using:
index=bcoat_logs sc_filter_result!=DENIED cs_host!="-" | stats count(cs_host) by cs_host | sort -count(cs_host)
which lists all websites users are hitting, but this search takes forever to run.
I was hoping to limit results to top 100 websites with highest hit counts in order to speed up the search.
I'm a bit of a newb and could use some help.
One reason for the slowness is that you are using "not equal to" as a criteria. In general, whenever you use NOT, Splunk ends up doing a serial search and that is slow. Is there a way that you could search like this instead?
index=bcoat_logs sc_filter_result=ALLOWED cs_host!="-"
Also, the following will get the top 100 results - but note that Splunk must count them all before it can determine the top 100. Also, you don't need count(cs_host)
- just count
will work - although that doesn't save time either.
index=bcoat_logs sc_filter_result=ALLOWED cs_host!="-"
| stats count by cs_host
| sort 100 -count
Are there any other criteria that you could use to filter the search as well? sourcetype?