When I'm extracting 1 hr data, I'm able to get the results, but If I go more then 1 hr, it's getting timed out, my requirement to display 24 hrs data on dashboard, Is there any way I can optimize below query?
index=idx2 sourcetype=demographic | rex "\|Country_Code~(?<Country_Code>.*?)\|" | search Country_Code="*" | rex "Service~(?<Service>\w+)\|" | rex "Service_version~(?<Version>\d\.\d)\|" | rex"Response_Status~(?<Status>\w+)\|" | rex "Elapsed_Time~(?<response_time>\d+)\|" | rex "Consumer_Name~(?<Consumer_Name>\w+)\|" | rex "Response_Status_Code~(?<Response_Code>\d+)\|" | eval countSuccess=if(Response_Code==200 OR Response_Code==206 OR Response_Code==404 OR Response_Code==424 OR Response_Code==403 OR Response_Code==501,1,0) | eval countFailure=if(Response_Code==500 OR Response_Code==400,1,0) | eval CountTimeout=if(Response_Code==504,1,0) | stats values(Version) as Version count as Volume sum(countSuccess) as SuccessPerc sum(countFailure) as FailurePerc sum(CountTimeout) as TimieOutPerc avg(response_time) as AvgResp exactperc90(response_time) as "90% Resp (ms)" exactperc99(response_time) as "99% Resp (ms)" min(response_time) as "Min Resp (ms)" max(response_time) as "Max Resp (ms)" by Consumer_Name Service Country_Code | sort - Volume | eval AvgResp=round(AvgResp,2) | eval SuccessPerc=round((SuccessPerc/Volume)*100,2)."%" | eval FailurePerc=round((FailurePerc/Volume)*100,2)."%" | eval TimieOutPerc=round((TimieOutPerc/Volume)*100,2)."%" | rename AvgResp as "Avg Resp (ms)" SuccessPerc as "Success %" FailurePerc as "Failure %" TimieOutPerc as "Timeout %" | eval Volume=toString(Volume,"commas")
... View more