When Run below Search in a Fast mode for last 7 days it is taking Time more than 60 minutes which is giving results and still taking time? Is there a way that I can modify my search to get results in lesser Time? Please help?
Search =
index=pan_logs OR index=cisco_395
(sourcetype="test" OR sourcetype="test2" OR sourcetype="test3")
(dest="a" OR dest="b" OR dest="c" OR dest= "d" OR dest="e" OR dest="f" )
| lookup test.csv IP as src
| search PCI=y
| dedup dest_port src dest host rule
| table _time dest_port src dest host rule action
Like this:
index=pan_logs OR index=cisco_395
AND (sourcetype="test" OR sourcetype="test2" OR sourcetype="test3")
AND (dest="a" OR dest="b" OR dest="c" OR dest= "d" OR dest="e" OR dest="f" )
AND [inputlookup test.csv | search PCI="y" | table IP | rename IP AS src]
| stats first(_time) AS _time first(action) AS action BY dest_port src dest host rule
Hi woodCook
Thanks for replying query gives results sorry still taking time
Show me the results of your existing search.
For security, I cannot share results.I am getting results with search that I posted Woodcock.
Since taking lot of time even now still it is running 58 of 135,845,039 events matched
Try adding this above the | stats
:
| fillnull dest_port src dest host rule
Try this (assuming all fields dest_port src dest host rule action, appear in your main data).
index=pan_logs OR index=cisco_395
(sourcetype="test" OR sourcetype="test2" OR sourcetype="test3")
(dest="a" OR dest="b" OR dest="c" OR dest= "d" OR dest="e" OR dest="f" )
[|inputlookup test.csv | search PCI=y | table IP | rename IP as src ]
| stats max(_time) as _time values(action) as action by dest_port src dest host rule
| table _time dest_port src dest host rule action
Hi @ somesoni2
Thanks for replying query doesn't give any results.
Jinx!!!!!!
How many rows and columns are there in your test.csv lookup file? Also, how many records in your lookup have PCI="Y"?
Rows 295 and 3 columns are IP, PCI which is having value "Y ", host. In that CSV PCI is one column I placed this to differentiate between others hosts
You are just pulling a large amount of data. You can post the job inspector report to see if that provides any insight as to why it is so slow.
You could probably use a stats command instead of dedup and table.
index=pan_logs OR index=cisco_395
(sourcetype="test" OR sourcetype="test2" OR sourcetype="test3")
(dest="a" OR dest="b" OR dest="c" OR dest= "d" OR dest="e" OR dest="f" )
| lookup test.csv IP as src
| search PCI=y
| stats values(dest_port) as dest_port values(dest) as dest values(host) as host values(rule) as rule values(action) as action by _time
Thanks @bsonposh .When i run the search its giving no results .Thanks for replying
Typo in the search but doesn't matter... you are in good hands with Gregg and Somesh
It depends; if the number of PCI servers is humongous, our solutions will fail.
Type in the search but doesn't matter... you are in good hands with Gregg and Somesh
Thanks bsonposh