I’m building a report that finds the number of unique users in our activity log each day:
sourcetype="accountTransaction" | timechart span="1d" dc(accountID)
The results are in the neighborhood of 12,000 each day.
This search takes forever to complete, so it seems like a perfect opportunity to use a summary index. So, I changed the search to this:
sourcetype="accountTransaction" | sitimechart span="1d" dc(accountID)
Saved it and scheduled it to run hourly and to use summary indexing. The job runs, but then when I run the search against it:
index=summary search_name="30-day DAU summary" |timechart span=1d dc(accountID)
The result (while nearly instantaneous) is dc(accountID)=1000 every single day – a flat line. Any idea what’s going on? Am I hitting a limit somewhere that I don’t know about?
... View more