Hopefully the dedup works, but we couldn't get it working. We always found some new scenario where dedup "found" the wrong ticket (not the latest one, but something else). We gave up and now we dump all the tickets every 5 minutes (yes it's crazy), then we add current time to the event (we name it as INDEX_TIME) and finally we have this in our search: | eventstats max(INDEX_TIME) as last | where INDEX_TIME=last
Now we are trying to figure out how to get rid of the events where INDEX_TIME older than 1 hour in order to keep the dashboard as quick as possible. We set the index freeze time to 1 hour, but doesn't work as we expected...
All in all our setup works, but we hope to find more efficient way. Basically we need the solution where the search finds always the latest update of the ticket. And the ticket source is relational DB...
... View more