Hello.
I have this search:
index="flow" earliest=-15m latest=now
| append [search index="flow" earliest=-15m latest=-60s
| eventstats sum(cli2srv_bytes_full) as upload_by_local_ip2 sum(srv2cli_bytes_full) as download_by_local_ip2 by local_ip, remote_ip
| dedup local_ip remote_ip
| table new_time local_ip remote_ip upload_by_local_ip2 download_by_local_ip2
| outputlookup append=false flows_search.csv
]
| lookup flows_search.csv local_ip remote_ip OUTPUT upload_by_local_ip2, download_by_local_ip2
| eventstats sum(cli2srv_bytes_full) as upload_by_local_ip sum(srv2cli_bytes_full) as download_by_local_ip by local_ip, remote_ip
| dedup local_ip remote_ip
| eval upload_by_local_ip2 = if(isnull(upload_by_local_ip2), 0, upload_by_local_ip2)
| eval download_by_local_ip2 = if(isnull(download_by_local_ip2), 0, download_by_local_ip2)
| eval limit = upload_by_local_ip - upload_by_local_ip2
So, I calculated transmitted bytes from -15m to now, -15m to -1m, and view how it changes and this is the question:
I think it was difficult codes and have overhead.
How do I optimize the search?
Thanks in advance.
| eval cli2srv_bytes_full2=if(now()-_time >=60,cli2srv_bytes_full,0) in main search without second search seems to work
@borgetko If your problem is resolved, please accept the answer to help future readers.
Problem is not resolved because in events, where now()-_time <60, value cli2srv_bytes_full2 have 0, so
if i do dedup by cli2srv_bytes_full than cli2srv_bytes_full2 will be 0, but i want that cli2srv_bytes_full2 have lates (highiest) value.
I tryed to do transaction without dedup, but the job takes more time than if it will 2 searches