Solved: Searching using timechart is too slow

xsstest · ‎01-25-2018

I have a index naming is "IDS" . It's has 4 sourcetypes.
The event of the index is very large. an average of 1.3 million events in 10 minutes
I want to use timechart to show every 4 hours IDS alert trend. (on dashboard)
but timechart is too slow. Is there a faster search?

Below is my search:

index=IDS 
|eval ids=case(sourcetype="WAN-http" OR  sourcetype="WAN-ids","WAN",sourcetype="LAN-http" OR sourcetype="LAN-http","LAN")
|timechart count by ids

FrankVl · ‎01-25-2018

Since the case statement in your eval is based on sourcetype, you're effectively doing a count by sourcetype. That can be done much faster using tstats.

| tstats count where index=IDS by sourcetype,_time
| eval ids=case(sourcetype="WAN-http" OR  sourcetype="WAN-ids","WAN",sourcetype="LAN-http" OR sourcetype="LAN-http","LAN")
| timechart sum(count) by ids

View solution in original post

FrankVl · ‎01-25-2018

Since the case statement in your eval is based on sourcetype, you're effectively doing a count by sourcetype. That can be done much faster using tstats.

| tstats count where index=IDS by sourcetype,_time
| eval ids=case(sourcetype="WAN-http" OR  sourcetype="WAN-ids","WAN",sourcetype="LAN-http" OR sourcetype="LAN-http","LAN")
| timechart sum(count) by ids

Searching using timechart is too slow

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor