Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to search the last 90 days of BlueCoat logs for the top 100 websites?

OD_jfraher
New Member
‎04-18-2016 05:42 PM

This is the criteria I'm using:

index=bcoat_logs sc_filter_result!=DENIED cs_host!="-" | stats count(cs_host) by cs_host | sort -count(cs_host)

which lists all websites users are hitting, but this search takes forever to run.

I was hoping to limit results to top 100 websites with highest hit counts in order to speed up the search.

I'm a bit of a newb and could use some help.

0 Karma
Reply

lguinn2
Legend
‎04-18-2016 06:45 PM

One reason for the slowness is that you are using "not equal to" as a criteria. In general, whenever you use NOT, Splunk ends up doing a serial search and that is slow. Is there a way that you could search like this instead?

index=bcoat_logs sc_filter_result=ALLOWED cs_host!="-"

Also, the following will get the top 100 results - but note that Splunk must count them all before it can determine the top 100. Also, you don't need count(cs_host) - just count will work - although that doesn't save time either.

index=bcoat_logs sc_filter_result=ALLOWED cs_host!="-" 
| stats count by cs_host 
| sort 100 -count

Are there any other criteria that you could use to filter the search as well? sourcetype?

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...