I am trying to make a summary index for data in April 2014.
Using the current default search and joins, and to query more than 25 GB of data takes more than 35 seconds of time.
I want to use a summary index to reduce the amount of time used in the search.
index=mail-bak sourcetype=MiMailData earliest="04/01/2014:00:00:00" latest="04/30/2014:24:00:00" MailType=0 OR MailType=1 OR MailType=2 | where isnull(MailCc)
| join MailUID [search index=vpn sourcetype=accesslog earliest="05/01/2014:00:00:00" latest="05/01/2014:24:00:00" | stats count as VpnAccessCount by USER_ID | eval MailUID = USER_ID ]
| eval testYn = if( match( MailTo , MailFrom ), "Y", "N")
| eval testYn2 = if( match( MailTo , ","), "Y", "N") | search testYn = "Y" AND testYn2 = "N"
| stats count as SendWeekCount by MailUID VpnAccessCount | rename MailUID as MailTo
| table MailTo SendWeekCount VpnAccessCount
Where's the part that is included in the search command?
What time zone settings?
In addition to setting the part?
Answer please. Thank you.
... View more