All Apps and Add-ons
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Best way to use transaction method efficiently

ozirus
Path Finder
‎07-22-2018 01:52 AM

Hi,

I'm dealing with cisco::esa (Ironport) logs that comes from 4 different ESA devices.

What I'm trying to do is; by using transaction method, grouping events and reporting them based on grouped data. (Each transaction approximately consists of 15-17 different events) and my challenge is data is huge (montly data, ~3M mail ) and I'm using a standalone box with 24 Gb RAM and 12 CPU.

When I run the command like written in transaction documentation, I see that query stucked at some point, not all events are combined correctly and results are inconsistent. As far as I read from this forum, It looks like a scalability issue of transaction.

What's your recommendation?

My query is like this; sourcetype=cisco::esa| transaction custom_mid icid dcid maxevenst=20

PS: custom_mid is a special variable I created since I'm using 4 different log source of Cisco ESA devices, MID values sometimes collapses. So I created custom_mid like: IPofDevice+MID

Thanks,

0 Karma
Reply
Get Updates on the Splunk Community!

Index This | When is October more than just the tenth month?

October 2025 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

What’s New & Next in Splunk SOAR

 Security teams today are dealing with more alerts, more tools, and more pressure than ever.  Join us for an ...