**BACKGROUND:** My Disaster Recovery team is compiling a list of all IPs endpoints, and has requested that I query all of my Splunk Events (*in all Indexes*) for anything resembling an IP. I created the following search, which works under my smaller-Staging Splunk-Enterprise, but fails out when I attempt it in my larger-Production Splunk-Enterprise:
index="*" earliest=-1d@d latest=-0d@d
| rex field=_raw "(?\b(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\b)"
| stats values(ip)
As a workaround to avoid the timeout, I've split the Production search into multiple searches of each Index.
**QUESTIONS**:
1. Is there a more *efficient* way to get the IPs my DR wants?
2. If there an *efficient* way to Join the results of the the multiple Index searches in Prod?
↧