I have this query to find hosts from a lookup that have zero events. There are about a 100 hosts and I can see that the query performance is slow with the use of subquery this way. Any ideas t...
Hi
I am running a heavy forwarder with HEC and it is sending data to 3 indexers. I am starting to read about ways to optimise this configuration, but I am not sure if I have all the s...
..." only returns about 300 results, but the subsearch is searching across millions of users accounts. If I removed the sub search, the outer search only takes a few seconds to complete.
Does a...
I am getting an error when using the following regex (?<=on\s)(.*)(?=\sby Firewall Settings) The error is "Error in 'rex' command: regex="(?<=on\s)(.*)(?<HostName>.*)(?=\sby Firewal...
Hi,
I've got ~15.000 events where FieldA exists (in total there are 20.000.000 events). I want to filter out these events and I'm wondering about the performance of different approaches.
Why i...
Hi All,
How can I optimize the below query? Can we convert it to tstats?
index=abc host=def* stalled
| rex field=_raw "symbol (?<symbol>.*) /"
| eval hourofday = s...
...isplay the dashboard. What constitutes a search: a data base search? or does the post search also count?
2) I did some rough counts, If I merge the 5 summary-indexes into one, there will be about 3...
I would like to use a lookup into an external database to add fields to my events, but need some advice about performance and caching of expensive lookups.
For example, say I have a log of o...
F.ex. when using NLog file target: https://github.com/NLog/NLog/wiki/File-target What's the optimal performance way for creating log files for the Forwarder? One record per file (t...
index="abcd" | eval _time = strptime(TS_Changed_At,"%d/%m/%Y %H:%M") | sort 0 ID _time | dedup ID _time | eventstats last(Status) as current_status by ID | where current_status="AAA" OR current_...