A query to count tag=pci entries by eventtype (and happens to be part of the application):
tag=pci | stats count by eventtype | sort -count
...results in this error message:
Error in 'UnifiedSearch': unable to
parse search 'The specified search is
too large. Please try to simplify your
I have about 156m global indexed events on a single indexer and every event is tag=pci. I'm hoping to understand where an upper limit is defined and what I may be doing wrong.
... View more