rewritex
First off, great seeing you at SplunkLive! yesterday, hope you enjoyed the event.
Now, down to business...
Is there a way that you can re-write your initial search to be more inclusive and less exclusive?
"process=* NOT (logiz OR cron OR crond OR syslog-ng OR tmtm OR snm OR ssd OR httpd OR mpd)"
If you remove the NOT and get away from the "process=*" you may find more efficiency in your search with something along the lines of
(process=dpi OR pcrocess=zzm1)
I also like the approach of grouping transactions by the vpn_session_id as this seems a bit more accurate and more likely to contain all relevant data about that session, I'd suggest though adding a maxspan= or even better yet a maxevents= option if you can just to help your search close out transactions.
Can you provide some examples of how the time is being screwed up in option 1? I think this option best fits your need so I'd like to see more around your cons there and if we can alleviate those, I think you're going to have what you want/need.
... View more