I have a search taking more than 48 hours to complete. I am searching within 2 indexes over the span of a single week. Can anyone provide optimization recommendations?
eventtype=SDW_BPM_EVENTS TYPE=Address: OR TYPE=Payload: | transaction startswith=Address: endswith=Payload: | search soa_user_id!=NULL AND ( soa_operation_name=createCreditCards OR soa_operation_name=updateCreditCards OR soa_operation_name=completeMembershipCheckout OR soa_operation_name=createBatch OR soa_operation_name=exchangePaymentRefund OR soa_operation_request=processVacationRequestTransaction OR soa_operation_name=processExchangeTransaction OR soa_operation_name=processShortStayTransaction OR soa_operation_name=purchaseRetradeProgram OR soa_operation_name=updateGuestCertificate OR soa_operation_name=processTransaction OR soa_operation_name=extendDeposit OR soa_operation_name=accommodationCertificateExtensionUpdate OR ( ( soa_operation_name=signalRecapState OR soa_operation_response=signalRecapStateResponse ) AND index=sdw ) ) | LOOKUP IIActiveDirectoryAll UserName as soa_user_id OUTPUT Groups as soa_user_groups | search ( (soa_user_groups="* IT*" OR soa_user_groups="*IT *" OR soa_user_groups="*-IT*" OR soa_user_groups="*IT-*" OR soa_user_groups="*I-Series*" OR soa_user_groups="*ITCM*") AND NOT (soa_user_groups="*italy*" OR soa_user_groups="*credit*" OR soa_user_groups="*audit*" OR soa_user_groups="*autit*") ) | rex "(?i)\-M:(?P[^\-]+)" | rex "(?i)\-C:(?P[^\]]+)" | rex "SubscriptionSelection.*TransactionCd\>(?P[^<]+).*TransTypeDesc\>(?P[^<]+).*NetAmount CurrencyCode=\"(?P[^\"]+)\"\>(?P[^<]+)" | rex ":Amount CurrencyCode=\"(?P[^\"]+)\"\>(?P[^<]+)"
Give this a try
eventtype=SDW_BPM_EVENTS TYPE=Address: OR TYPE=Payload: | search soa_user_id!=NULL AND ( soa_operation_name=createCreditCards OR soa_operation_name=updateCreditCards OR soa_operation_name=completeMembershipCheckout OR soa_operation_name=createBatch OR soa_operation_name=exchangePaymentRefund OR soa_operation_request=processVacationRequestTransaction OR soa_operation_name=processExchangeTransaction OR soa_operation_name=processShortStayTransaction OR soa_operation_name=purchaseRetradeProgram OR soa_operation_name=updateGuestCertificate OR soa_operation_name=processTransaction OR soa_operation_name=extendDeposit OR soa_operation_name=accommodationCertificateExtensionUpdate OR ( ( soa_operation_name=signalRecapState OR soa_operation_response=signalRecapStateResponse ) AND index=sdw ) ) | transaction startswith=Address: endswith=Payload: | LOOKUP IIActiveDirectoryAll UserName as soa_user_id OUTPUT Groups as soa_user_groups | search ( (soa_user_groups="* IT*" OR soa_user_groups="*IT *" OR soa_user_groups="*-IT*" OR soa_user_groups="*IT-*" OR soa_user_groups="*I-Series*" OR soa_user_groups="*ITCM*") AND NOT (soa_user_groups="*italy*" OR soa_user_groups="*credit*" OR soa_user_groups="*audit*" OR soa_user_groups="*autit*") ) | rex "(?i)\-M:(?P[^\-]+)" | rex "(?i)\-C:(?P[^\]]+)" | rex "SubscriptionSelection.*TransactionCd\>(?P[^<]+).*TransTypeDesc\>(?P[^<]+).*NetAmount CurrencyCode=\"(?P[^\"]+)\"\>(?P[^<]+)" | rex ":Amount CurrencyCode=\"(?P[^\"]+)\"\>(?P[^<]+)"
And this
eventtype=SDW_BPM_EVENTS TYPE=Address: OR TYPE=Payload: | search soa_user_id!=NULL AND ( soa_operation_name=createCreditCards OR soa_operation_name=updateCreditCards OR soa_operation_name=completeMembershipCheckout OR soa_operation_name=createBatch OR soa_operation_name=exchangePaymentRefund OR soa_operation_request=processVacationRequestTransaction OR soa_operation_name=processExchangeTransaction OR soa_operation_name=processShortStayTransaction OR soa_operation_name=purchaseRetradeProgram OR soa_operation_name=updateGuestCertificate OR soa_operation_name=processTransaction OR soa_operation_name=extendDeposit OR soa_operation_name=accommodationCertificateExtensionUpdate OR ( ( soa_operation_name=signalRecapState OR soa_operation_response=signalRecapStateResponse ) AND index=sdw ) ) [| inputlookup IIActiveDirectoryAll | search ( (soa_user_groups="* IT*" OR soa_user_groups="*IT *" OR soa_user_groups="*-IT*" OR soa_user_groups="*IT-*" OR soa_user_groups="*I-Series*" OR soa_user_groups="*ITCM*") AND NOT (soa_user_groups="*italy*" OR soa_user_groups="*credit*" OR soa_user_groups="*audit*" OR soa_user_groups="*autit*") ) | table UserName | rename UserName as soa_user_id] | transaction startswith=Address: endswith=Payload: | rex "(?i)\-M:(?P[^\-]+)" | rex "(?i)\-C:(?P[^\]]+)" | rex "SubscriptionSelection.*TransactionCd\>(?P[^<]+).*TransTypeDesc\>(?P[^<]+).*NetAmount CurrencyCode=\"(?P[^\"]+)\"\>(?P[^<]+)" | rex ":Amount CurrencyCode=\"(?P[^\"]+)\"\>(?P[^<]+)"