I'm trying to understand if there is a way to improve search time. I am corrolating fields from 2 or 3 indexes where the IP is the same.
Not all indexes will have matching data.
Is there a different search method I should consider? Is there something specific I should look for in the Job Inspector? (I did see search.kv invoked 235 times/ 50 secs, not sure why)
Appreciate any suggestions or tips or directions to look in!
(sourcetype="dns" index=ipamdns NOT "notify" x.x.x) OR ( index=ipamdns sourcetype="dhcp") OR (sourcetype="eventlog_security" security_ip=*)
| eval ip_match=coalesce(dhcp_client_ip, dns_request_client_ip, security_ip)
| stats
values(dhcp_client_ip) as dhcp_ip
values(dhcp_hostname) as dhcp_hostname
values(dns_request_client_ip) as dns_client_ip
values(security_ip) as security_ip
values(Workstation_Name) as hostname
values(Account_Domain) as domain
by ip_match
| where NOT isnull(dhcp_hostname) AND NOT isnull(dns_client_ip)
|fields - src_ip, dns_client_ip, ad_client_ip, ad_client_name
The job inspector shows:
Duration (seconds) Component Invocations Input count Output count
0.24 command.addinfo 236 2,855,808 2,855,808
1.57 command.eval 236 2,855,808 2,855,808
0.22 command.fields 237 2,856,174 2,856,174
5.44 command.prestats 236 2,855,808 168,181
70.45 command.search 236 - 2,855,808
13.16 command.search.filter 235 - -
2.37 command.search.fieldalias 235 2,916,002 2,916,002
0.68 command.search.index 5 - -
0.23 command.search.calcfields 235 2,916,002 2,916,002
0.05 command.search.expand_search 1 - -
0.00 command.search.index.usec_1_8 4,221 - -
0.00 command.search.index.usec_64_512 9 - -
0.00 command.search.index.usec_8_64 685 - -
50.60 command.search.kv 235 - -
3.86 command.search.rawdata 235 - -
0.24 command.search.tags 235 2,855,808 2,855,808
0.24 command.search.typer 235 2,855,808 2,855,808
0.23 command.search.lookups 235 2,916,002 2,916,002
0.15 command.search.summary 236 - -
0.00 command.search.parse_directives 1 - -
0.93 command.stats 238 168,181 -
0.92 command.stats.execute_input 237 168,181 -
0.02 command.stats.execute_output 1 - -
0.00 command.where 1 6,494 366
0.01 dispatch.check_disk_usage 8 - -
0.00 dispatch.createdSearchResultInfrastructure 1 - -
0.07 dispatch.evaluate 1 - -
0.07 dispatch.evaluate.search 1 - -
0.00 dispatch.evaluate.eval 1 - -
0.00 dispatch.evaluate.fields 1 - -
0.00 dispatch.evaluate.stats 1 - -
0.00 dispatch.evaluate.where 1 - -
75.52 dispatch.fetch 237 - -
77.14 dispatch.localSearch 1 - -
0.08 dispatch.optimize.FinalEval 1 - -
0.18 dispatch.optimize.matchReportAcceleration 1 - -
0.00 dispatch.optimize.optimization 1 - -
0.00 dispatch.optimize.reparse 1 - -
0.00 dispatch.optimize.toJson 1 - -
0.00 dispatch.optimize.toSpl 1 - -
0.79 dispatch.preview 60 - -
0.62 dispatch.preview.stats.execute_output 60 - -
0.16 dispatch.preview.command.where 60 210,093 10,060
0.06 dispatch.preview.command.fields 60 10,060 10,060
0.06 dispatch.preview.write_results_to_disk 60 - -
77.23 dispatch.stream.local 236 - -
0.22 dispatch.writeStatus 126 - -
0.03 startup.configuration 1 - -
0.09 startup.handoff 1
↧
