Have a small lookup table with 135 dest_ip and a search that is searching that lookup table against a 40 TB index ( for a 6 month period for those IP's) When i run this search ( or add Ip to the lookup table, or even just search 1 or 2 single ips by themselves) against this 40tb index for a specific time period longer than a month, the search takes hours and i mean hours My questions is without a datamodel, how can i speed this search up? I tried tstats but that doens'nt work unless you have datamodel ( at least i could not get it to work), tried TERM, could not get that to work. Any ideas? here is current search im using index=myindex src_ip=* | lookup mylookup.csv dest_ip OUTPUT dest_ip | dedup src_ip, dest_ip | table src_ip, dest_ip | sort src_ip the above search works great for alert i run every 15 minutes so see if anyone hits these ip's in the lookup, but for searching a large index, it takes forever. Any help in speeding up a search like this would be appreciated thank you
... View more