Hi How can I tune this spl command? this spl execute daily, and return something like this: servername send receive cu...
See more...
Hi How can I tune this spl command? this spl execute daily, and return something like this: servername send receive customer ID status Customer4 2021-21-11 12:12:39 2021-21-11 12:15:03 CUS.AaBB-APP1-12345_CUS 10 144.772000 Customer3 2021-21-11 12:09:58 2021-21-11 12:12:03 CUS.AaBB-APP1-98765_CUS 20 125.616000 here is statics belong this query: events 72,070,802 (11/21/21 12:00:00.000 AM to 11/22/21 12:00:00.000 AM) Size 2.09 GB Statistics (248,138) it take huge time to return result is there any way to tune query or any trick that return this result faster? FYI: I try to use summer index but still take long time to return result. Here is my query: index="myindex" source="/data/product/*/customer*" (date_hour>=1 AND (date_hour<23 OR (date_hour=23 date_minute<30))) "Packet Processed" OR "Normal Packet Received" | rex field=source "\/data\/(?<product>\w+)\/(?<date>\d+)\/(?<servername>\w+)" | rex ID\[(?<ID>\d+) | rex "^(?<timestamp>.{23}) INFO (?<customer>.*) \[AppServiceName\] (?<status>.*): M\[(?<Acode>.*)\] T\[(?<Bcode>\d+)\]" | rex field=customer "_(?<customer2>.*)" | eval customer2=coalesce(customer2,customer), customer=if(customer=customer2,null(),customer) | eval sendTime=if(status="Packet Processed",strptime(timestamp,"%Y-%m-%d %H:%M:%S,%3Q"),null()), receiveTime=if(status="Normal Packet Received",strptime(timestamp,"%Y-%m-%d %H:%M:%S,%3Q"),null()) | eval AcodeSend=if(status="Packet Processed",Acode,null()),BcodeSend=if(status="Packet Processed",Bcode,null()),AcodeReceive=if(status="Normal Packet Received",Acode,null()),BcodeReceive=if(status="Normal Packet Received",Bcode,null()) | eval AcodeReceiveLookFor=AcodeSend+10,acr=coalesce(AcodeReceive,AcodeReceiveLookFor) | fields - Acode _time timestamp status AcodeReceiveLookFor | stats values(*) as *,count by customer2,acr,Bcode | eval duration=receiveTime-sendTime , customer=coalesce(customer,customer2) | eval status=case(isnull(AcodeSend),"No Send",isnull(AcodeReceive),"No receive") | eventstats max(duration) as duration by customer2 | where count=2 OR (status="No receive" AND isnull(duration)) | eval status=coalesce(status,duration) | search NOT status="No receive" | search NOT status="No Send" | search status>2 | eval send=strftime(sendTime, "%Y-%d-%m %H:%M:%S") | eval receive=strftime(receiveTime, "%Y-%d-%m %H:%M:%S") | table servername send receive customer ID status Any idea? Thanks