Hi,
i'm having the following dataset:
2014-03-15 17:23:17 host2 transaction="7WB1Hh7VpxWsDae" action="request" uri="/bla/fasel/bar.png" requestSize="123"
2014-03-15 17:23:18 host1 transaction="We6TaPibMJhdYI5" action="request" uri="/bla/fasel/foo.jpg" requestSize="127"
2014-03-15 17:23:19 host2 transaction="7WB1Hh7VpxWsDae" ation="response" responseSize="45678" code="200"
2014-03-15 17:23:20 host1 transaction="We6TaPibMJhdYI5" ation="response" responseSize="4567" code="200"
I need the following aggregated table as a result:
| uri | sum(requestSize) | sum(responseSize) |
+--------------------+------------------+-------------------+
| /bla/fasel/bar.png | 123 | 45678 |
| /bla/fasel/foo.jpg | 127 | 4567 |
+--------------------+------------------+-------------------+
The maximum time of a transaction is 600 seconds (device timeout).
Until now i'm using the following search:
sourcetype=foo | transaction maxspan=600 maxevents=2 host,transaction | stats sum(responseSize), sum(requestSize) by uri
Working on a larger dataset, this doesn't really scale well. The runtime is serval hours.
Is there a better way to archive the desired results?
Are there some tricks to optimize this query, especially the transaction command?
Maybe there is a workaround by using stats only?
I'm looking forward to your ideas, thanks in advance!
-Lorenz
... View more