Hi guys,
I have a search with subsearch that times out before it can complete. The subsearch doesnt finalise, so then then main search gets no results. Can anyone think of a better way to write this search so that perhaps that subsearch will perform better and I will not have to increase limits.conf? Are there any issues with increasing limits.conf?
index=bla [search index=bla(subject="Test*")|dedup x | table x]
|stats values(*) As * by x,filter_instance
|table _time,from,ip,recipient,subject,x
Thanks!
Try this for your subsearch...
[search index=bla (subject="Test*") x=* | stats first(index) by x | fields - index]
stats first(blah)
should require less resources than dedup
.
Try setting a shorter static timerange that overrides the TimePicker for the subsearch like this:
index=bla [search index=bla(subject="Test*") earliest=-1h | stats first(host) BY x | table x ]
|stats values(*) As * by x,filter_instance
|table _time,from,ip,recipient,subject,x
Try this for your subsearch...
[search index=bla (subject="Test*") x=* | stats first(index) by x | fields - index]
stats first(blah)
should require less resources than dedup
.
Thanks this worked
I think you may have simplified your example a little too much or maybe I'm just not following.
You're looking for the values of x that only exist when subject="Test*" but then you want to do a stats by x? I'm not seeing the purpose of the subsearch. Could you try either explaining it or maybe simplify it better?