Hello,
I am trying to run the below search under a huge index that contains Cisco Firewall data:
index=cisco_firewall host="firewall_name*" | search action!="teardown" AND action!="success" AND action!="failure" AND vendor_class=acl AND src_interface="Intra*" | rex "access-list (?.*) +permitted" | lookup dnslookup clientip as src_ip OUTPUT clienthost as Source_DNS | lookup dnslookup clientip as dest_ip OUTPUT clienthost as Dest_DNS | rename src_ip AS Source_IP, src_port AS SRC_Port, dest_ip AS Dest_IP, transport AS Protocol, dest_port AS Dest_Port | table Source_IP, Source_DNS, SRC_Port, Dest_IP, Dest_DNS, Protocol, Dest_Port, ACL | dedup Source_IP,Dest_IP,Dest_Port
I need to run the search for old data that is being stored on a NAS storage as cold buckets. The search never completes. It gets stucked at around 91% of the time range scanned. The data is being split across 40 indexers. The searching environment is a SH cluster with 3 members.
Is there any way i can improve the searching performance? The job inspector shows that most of the time spent is for the command.search component.
Best regards
... View more