Fields Aren’t Always Faster, Keyword Searches to Speed Up Splunk

When possible, use datamodels, they are generally your best bet for speed. However, not everything in your Splunk will be in a datamodel, and you may require a good-old-fashioned index based search.

JOIN FOR FREE

This may come as a surprise, as it is counter intuitive but often using a token in an index based search will absolutely speed up your search.

For instance, if I am interested in the misspelled user agent “Mozila” in the field user_agent I might just create the search:

index=proxy AND
user_agent=*Mozila*

However, I bet if you create the search rule

index=proxy AND Mozila AND
user_agent=*Mozila*

The search may perform faster, check it out in your SIEM.

This is because Splunk tokenizes the raw logs and when you specify a field… that field may need to be extracted at search. Explaining this further is outside the scope of this quick ‘blog’. However, just know that long (5 character) distinct keywords are often easy ways to speed up your search!

The post Fields Aren’t Always Faster, Keyword Searches to Speed Up Splunk appeared first on SOC Prime.