Source: socprime.com – Author: Adam Swan
WRITTEN BY
Adam Swan
Threat Hunting Engineering Lead
[post-views]
November 27, 2024 · 1 min read
When possible, use datamodels, they are generally your best bet for speed. However, not everything in your Splunk will be in a datamodel, and you may require a good-old-fashioned index based search.
This may come as a surprise, as it is counter intuitive but often using a token in an index based search will absolutely speed up your search.
For instance, if I am interested in the misspelled user agent “Mozila” in the field user_agent I might just create the search:
index=proxy AND
user_agent=*Mozila*
However, I bet if you create the search rule
index=proxy AND Mozila AND
user_agent=*Mozila*
The search may perform faster, check it out in your SIEM.
This is because Splunk tokenizes the raw logs and when you specify a field… that field may need to be extracted at search. Explaining this further is outside the scope of this quick ‘blog’. However, just know that long (5 character) distinct keywords are often easy ways to speed up your search!
Was this article helpful?
Like and share it with your peers.
Related Posts
Original Post URL: https://socprime.com/blog/fields-arent-always-faster-keyword-searches-to-speed-up-splunk/
Category & Tags: Blog,Knowledge Bits,SIEM,Splunk – Blog,Knowledge Bits,SIEM,Splunk
Views: 3
