Hi,
I'm dealing with cisco::esa (Ironport) logs that comes from 4 different ESA devices.
What I'm trying to do is; by using transaction method, grouping events and reporting them based on grouped data. (Each transaction approximately consists of 15-17 different events) and my challenge is data is huge (montly data, ~3M mail ) and I'm using a standalone box with 24 Gb RAM and 12 CPU.
When I run the command like written in transaction documentation, I see that query stucked at some point, not all events are combined correctly and results are inconsistent. As far as I read from this forum, It looks like a scalability issue of transaction.
What's your recommendation?
My query is like this; sourcetype=cisco::esa| transaction custom_mid icid dcid maxevenst=20
PS: custom_mid is a special variable I created since I'm using 4 different log source of Cisco ESA devices, MID values sometimes collapses. So I created custom_mid like: IPofDevice+MID
Thanks,
