To reply to your question about latency: Events from tracker.log have not been seen for the last 546 seconds, which is more than the red threshold (210 seconds). Events from tracker.log are delayed for 32126 seconds, which is more than the red threshold (180 seconds). The regex is efficient, i tried it on regex101. On indexing time, there is only one regex that i wrote for firewall incoming data to only accept blocked traffic logs. And because there are a lot of logs sent by the firewall, the indexer should filter all of those logs on indexing time to filter them and only take the blocked traffic to index it. Question: How can adding an indexer help me in this case, will the two indexers work on filtering logs in indexing time together?
... View more