How to search the last 90 days of BlueCoat logs fo...

OD_jfraher · ‎04-18-2016

This is the criteria I'm using:

index=bcoat_logs sc_filter_result!=DENIED cs_host!="-" | stats count(cs_host) by cs_host | sort -count(cs_host)

which lists all websites users are hitting, but this search takes forever to run.

I was hoping to limit results to top 100 websites with highest hit counts in order to speed up the search.

I'm a bit of a newb and could use some help.

lguinn2 · ‎04-18-2016

One reason for the slowness is that you are using "not equal to" as a criteria. In general, whenever you use NOT, Splunk ends up doing a serial search and that is slow. Is there a way that you could search like this instead?

index=bcoat_logs sc_filter_result=ALLOWED cs_host!="-"

Also, the following will get the top 100 results - but note that Splunk must count them all before it can determine the top 100. Also, you don't need count(cs_host) - just count will work - although that doesn't save time either.

index=bcoat_logs sc_filter_result=ALLOWED cs_host!="-" 
| stats count by cs_host 
| sort 100 -count

Are there any other criteria that you could use to filter the search as well? sourcetype?

How to search the last 90 days of BlueCoat logs for the top 100 websites?

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms