search is very slow when using last 4 hours, parsing job runs at least 3 minutes and still running
source=/var/log/remote/192.168.1.1.log set diff [search "Built inbound" NOT "8.8.8.8" NOT "8.8.4.4" | rex field=_raw "Outside:(?\d+.\d+.\d+.\d+){0,3}" | rex field=_raw "Inside:(?\d+.\d+.\d+.\d+){0,3}"] [search "Built outbound" outsideip=* | rex field=_raw "Outside:(?\d+.\d+.\d+.\d+){0,3}" | rex field=_raw "Inside:(?\d+.\d+.\d+.\d+){0,3}"] | mvexpand destinationip2 | table destinationip2, sourceip2 | stats values(sourceip2) as sourceip2, count by destinationip2 | sort by count by desc | head 10
... View more