I have a index naming is "IDS" . It's has 4 sourcetypes.
The event of the index is very large. an average of 1.3 million events in 10 minutes
I want to use timechart
to show every 4 hours IDS alert trend. (on dashboard)
but timechart is too slow. Is there a faster search?
Below is my search:
index=IDS
|eval ids=case(sourcetype="WAN-http" OR sourcetype="WAN-ids","WAN",sourcetype="LAN-http" OR sourcetype="LAN-http","LAN")
|timechart count by ids
Since the case statement in your eval is based on sourcetype, you're effectively doing a count by sourcetype. That can be done much faster using tstats.
| tstats count where index=IDS by sourcetype,_time
| eval ids=case(sourcetype="WAN-http" OR sourcetype="WAN-ids","WAN",sourcetype="LAN-http" OR sourcetype="LAN-http","LAN")
| timechart sum(count) by ids
Since the case statement in your eval is based on sourcetype, you're effectively doing a count by sourcetype. That can be done much faster using tstats.
| tstats count where index=IDS by sourcetype,_time
| eval ids=case(sourcetype="WAN-http" OR sourcetype="WAN-ids","WAN",sourcetype="LAN-http" OR sourcetype="LAN-http","LAN")
| timechart sum(count) by ids