Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How do I improve the performance of my current search?

Rzwells2950
New Member
‎05-10-2016 07:04 AM

After jumping through a few loops the get my three searches to work together, I got it to work. But now I need to find a way to make it run faster. After a few hours of running it went through 330 million files and was not even a 1/3 of the way done. I plan on putting this in a bar graph and a pie chart. can anyone help?

eventtype=egress_email Email_Address=* File_Type=*| top limit=20 File_Type   | addtotals row=f col=t labelfield=File_Type label=Email| search File_Type=Email count=* |fields - percent| append [ search eventtype=egress_ntu Operation="Network Transfer Upload" sourcetype="digitalguardian:events" File_Type=* | top File_Type   | addtotals row=f col=t labelfield=File_Type label=Upload | search File_Type=Upload count=* |fields - percent] | append [search eventtype=egress_removable Was_Removable=True File_Type=*| top limit=20 File_Type   | addtotals row=f col=t labelfield=File_Type label=Removable   | search File_Type=Removable count=* |fields - percent]
0 Karma
Reply

somesoni2
Revered Legend
‎05-10-2016 10:27 AM

Give this a try

(eventtype=egress_email Email_Address=* ) OR (eventtype=egress_ntu Operation="Network Transfer Upload" sourcetype="digitalguardian:events" ) OR (eventtype=egress_removable Was_Removable=True )  File_Type=* 
| stats count by eventtype File_Type | sort eventtype -count | streamstats count as rank by eventtype | where (eventtype="egress_ntu" AND rank>11) OR ( (eventtype="egress_email" OR eventtype="egress_removable") AND rank>21) | appendpipe [| stats sum(count) as count by eventtype | eval File_Type=case( eventtype="egress_ntu", "Upload", eventtype="egress_email","Email",1=1,"Removable") | eval rank=21] | sort eventtype rank | fields - rank eventtype

Update
I missed the filters in previous attempt. Give this a try.

(eventtype=egress_email Email_Address=* ) OR (eventtype=egress_ntu Operation="Network Transfer Upload" sourcetype="digitalguardian:events" ) OR (eventtype=egress_removable Was_Removable=True )  File_Type=* 
| stats count by eventtype File_Type | sort eventtype -count | streamstats count as rank by eventtype | where (eventtype="egress_ntu" AND rank>11) OR ( (eventtype="egress_email" OR eventtype="egress_removable") AND rank>21) | stats sum(count) as count by eventtype | eval File_Type=case( eventtype="egress_ntu", "Upload", eventtype="egress_email","Email",1=1,"Removable") | fields - eventtype
0 Karma
Reply

Rzwells2950
New Member
‎05-10-2016 12:01 PM

I believe its faster, but now I am not getting the Statistics break down of the Uplodes, Email and Removable egress Visualizations. Before I had 3 searches that had a single bar graft of each. But now I would like to make them all into one bar graft and make a pie chart as well. Any idea what would be the best plan of action?

0 Karma
Reply

Rzwells2950
New Member
‎05-10-2016 10:10 AM

I also need to run this search for the last 3 months

0 Karma
Reply
Get Updates on the Splunk Community!

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

Tuesday, May 14, 2024  |  11AM PT / 2PM ET Register to Attend Join us for this Tech Talk and learn how to ...

.conf24 | Personalize your .conf experience with Learning Paths!

Personalize your .conf24 Experience Learning paths allow you to level up your skill sets and dive deeper ...

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...

WATCH NOWAs AI starts tackling low level alerts, it's more critical than ever to uplevel your threat hunting ...