I have this search:
index="flow" earliest=-15m latest=now | append [search index="flow" earliest=-15m latest=-60s | eventstats sum(cli2srv_bytes_full) as upload_by_local_ip2 sum(srv2cli_bytes_full) as download_by_local_ip2 by local_ip, remote_ip | dedup local_ip remote_ip | table new_time local_ip remote_ip upload_by_local_ip2 download_by_local_ip2 | outputlookup append=false flows_search.csv ] | lookup flows_search.csv local_ip remote_ip OUTPUT upload_by_local_ip2, download_by_local_ip2 | eventstats sum(cli2srv_bytes_full) as upload_by_local_ip sum(srv2cli_bytes_full) as download_by_local_ip by local_ip, remote_ip | dedup local_ip remote_ip | eval upload_by_local_ip2 = if(isnull(upload_by_local_ip2), 0, upload_by_local_ip2) | eval download_by_local_ip2 = if(isnull(download_by_local_ip2), 0, download_by_local_ip2) | eval limit = upload_by_local_ip - upload_by_local_ip2
So, I calculated transmitted bytes from -15m to now, -15m to -1m, and view how it changes and this is the question:
I think it was difficult codes and have overhead.
How do I optimize the search?
Thanks in advance.
| eval cli2srvbytesfull2=if(now()-time >=60,cli2srvbytes_full,0) in main search without second search seems to work
@borgetko If your problem is resolved, please accept the answer to help future readers.
Problem is not resolved because in events, where now()-time <60, value **cli2srvbytesfull2** have 0, so
if i do dedup by **cli2srvbytesfull** than **cli2srvbytesfull2** will be 0, but i want that **cli2srvbytes_full2** have lates (highiest) value.
I tryed to do transaction without dedup, but the job takes more time than if it will 2 searches