Hello all, thanks for taking the time to read this post. I am writing today about an issue we seem to be having with one of our Splunk dashboards. It's really just 1 particular query within the dashboard...and it seems like it's due to the way in which the query is written. The query is taking on average 2 1/2 - 3 minutes to load, and utilizing between 150-200MB of memory on the search head instance.
--QUERY--
index=* sourcetype="WinEventLog:Security" EventCode IN (4625, 4626, 4627, 4628, 4630, 4631, 4632, 4633) AND Account_Name IN (admin account prefixes on network) | fillnull value=NULL | eval Account_Name=mvindex(Acount_Name,1) | eval Security_ID=mvindex(Security_ID,1) | eval LoginType=case(Logon_Type=2, "Regular Logon", Logon_Type=3, "RPC (not RDP)", Logon_Type=4, "Batch", Logon_Type=5, "Service", Logon_Type=7, "Screen Unlock/SessionResume", Logon_Type=10, "Remote Desktop", Logon_Type=11, "Cached", Logon_Type=9, "New Credentials") | rename Account_Name as "User" | stats count(Security_ID) as "Login Events" by Account_Name, LoginType, host, _time | sort - _time
Here is another query we are using for standard accounts in the same dashboard...and it loads in less than 15 seconds, utilizing much less resources.
--QUERY--
index=* sourcetype="WinEventLog:Security" NOT Account_Name IN (admin account prefixes on network) NOT Caller_Process_Name="*process we want suppressed" EventCode IN (4625, 4626, 4627, 4628, 4630, 4631, 4632, 4633) | fillnull value=NULL | eval Account_Name=mvindex(Acount_Name,1) | eval Security_ID=mvindex(Security_ID,1) | eval LoginType=case(Logon_Type=2, "Regular Logon", Logon_Type=3, "RPC (not RDP)", Logon_Type=4, "Batch", Logon_Type=5, "Service", Logon_Type=7, "Screen Unlock/SessionResume", Logon_Type=10, "Remote Desktop", Logon_Type=11, "Cached", Logon_Type=9, "New Credentials") | rename Account_Name as "User" | stats count(Security_ID) as "Login Events" by Account_Name, LoginType, host, _time | sort - _time
Again, the top query takes minutes to load and uses excessive resources, the bottom query takes seconds to load and doesn't use nearly as much resources. I guess I'm just curious if this is due to the nature of "NOT" statements in a query vice "AND"...or if my query isn't optimized. Maybe both? The queries are searching for the past 24 hours, and are set to 30min refresh intervals.
... View more