This message originated from Cribl Community Slack.
Click here to view the original link.
I am new to Cribl Search. We have our Palo Alto traffic logs backed up to AWS S3 buckets. We're being asked to search for four or so src/dest IP addresses over a 6-month period. Are there any tips to a speedy search - would it be better to kick off one search and just wait, or divide it into six separate concurrent searches, each over one month?... I am currently doing one month at a time, example:
set global:max_executors="auto";
dataset="S3_PAN_Traffic" earliest=1759276800 latest=1761955200 (src_ip in ("IPwhatever", "IPwhatever", "IPwhatever", "IPwhatever") OR dest_ip IN ("IPwhatever", "IPwhatever", "IPwhatever", "IPwhatever"))
Solved
Cribl Search Performance Inquiry For AWS S3 Palo Alto Traffic Logs Over 6 Months
Best answer by jlawton589
The answer to your question of one search vs. concurrent searches would depend on the size of the dataset. For larger datasets dividing into multiple queries may be more efficient.
The answer to your question of one search vs. concurrent searches would depend on the size of the dataset. For larger datasets dividing into multiple queries may be more efficient.
Keep an eye on your
Concurrent scheduled search limit : https://docs.cribl.io/search/usage-groups/#usage-limits
@user have you seen our Search Packs for Palo Alto (start with the one in bold)?
Also, here are some resources learn more about Search:
◦ Cribl Search Tutorial
◦ Cribl Search Data Sources Tutorial
◦ Cribl Search Operators
◦ Cribl Search Dashboards
- Free Instructor led training - delivered virtually nearly every week
Sign up
Already have an account? Login
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.