The whole query is below. With a span that returns less than 10 events it's still quite fast but going over 20 events just keeps is hanging at 'Finalizing Job'.
Another thing I just noticed that goes wrong here is in the case of a binary value such as 11000, the ltrim part goes wrong.. However I think it can be fixed with adding a 'substr(X,Y,Z)'.
I guess if this isn't going to work out I'll have the lookup files changed to a format more easy to use.
index=abc binary!=0* earliest=-60m
| eval len1=len(binary)
| eval binary = ltrim(binary,"1")
| eval binary = ltrim(binary,"0")
| eval len2=len(binary)
| eval binary = ltrim(binary,"1")
| eval binary = ltrim(binary,"0")
| eval len3=len(binary)
| eval binary = ltrim(binary,"1")
| eval binary = ltrim(binary,"0")
| eval len4=len(binary)
| eval binary = ltrim(binary,"1")
| eval binary = ltrim(binary,"0")
| eval len5=len(binary)
| eval binary = ltrim(binary,"1")
| eval binary = ltrim(binary,"0")
| eval len6=len(binary)
| eval binary = ltrim(binary,"1")
| eval binary = ltrim(binary,"0")
| eval mask1 = mvrange(0,len1)
| eval mask2 = mvrange(0,len2)
| eval mask3 = mvrange(0,len3)
| eval mask4 = mvrange(0,len4)
| eval mask5 = mvrange(0,len5)
| eval mask6 = mvrange(0,len6)
| streamstats count
| mvexpand mask1
| mvexpand mask2
| mvexpand mask3
| mvexpand mask4
| mvexpand mask5
| mvexpand mask6
| eval mask1 = if(mask1==0, "1", "0")
| eval mask2 = if(mask1==2, "1", "0")
| eval mask3 = if(mask1==3, "1", "0")
| eval mask4 = if(mask1==4, "1", "0")
| eval mask5 = if(mask1==5, "1", "0")
| eval mask6 = if(mask1==6, "1", "0")
| stats list(mask1) as mask1 list(mask2) as mask2 list(mask3) as mask3 list(mask4) as mask4 list(mask5) as mask5 list(mask6) as mask6 by count _time
| eval mask1 = mvjoin(mask1,"")
| eval mask2 = mvjoin(mask2,"")
| eval mask3 = mvjoin(mask3,"")
| eval mask4 = mvjoin(mask4,"")
| eval mask5 = mvjoin(mask5,"")
| eval mask6 = mvjoin(mask6,"")
| dedup count
... View more