Splunk Fast SPL Searches

The primary objectives for achieving fast searches involve an understanding of the way data is indexed and the way that SPL is processed and executed in the environment.

Part 2 on the Fast Search Overview

Walk through the most effect processes to achieve fast searches for extracting valuable insights from your data.

Details on Segmentation, both major and minor.  Review of Reporting commands and their mechanics.  SPL tricks for command usage strategies to improve search speeds

Details regarding effective use of stats command for fast and efficient SPL.

Overview of loadjob

A look at the SPL command types and what they mean.

Details on using TERM effectively in your SPL

Details on using NOT TERM effectively in your SPL

What if you want to search an index for intel from another index like threats, intel feeds, or other events?  With the search_term macro, you can find events from one index connected to events in another index, including using time windows.  You could look in an index for a time window of 5 minutes before and 1 minute after the appearance of traffic involving an ip address list from another index by modifying the macro provided here.

search_term(2) - stats count by $field$ | eval $field$ = "TERM($pre$".$field$.")" | stats values($field$) AS search | table search | eval search = mvjoin(search," OR ")

The final search shown in this video took 4.3s to search 64.5k events over All time on a desktop indexer.  This search is much more effective when the number of events filtered is very large (sparse searches) so that the indexers pull few events for parsing.