The below query is used to return the Error distribution in 3 layers - Application, Dataservice & Queue for a time range two months.
Currently the query takes more than 5 mins to return the result.
index=performance host="prod*" AND host= "/*web/*" earliest=1500076800 latest=1504915200 | eval layer="Application"| append [search index=performance host="prod*" MQ _raw="/*ERROR/*" earliest=1500076800 latest=1504915200 | eval layer="Queue"] | append [search index=performance host="prod*" exception="*sql*" sqlserver OR db2 earliest=1500076800 latest=1504915200 | append[search index=de riak sourcetype=kvs_console "\[error\]" host="prod*" earliest=1500076800 latest=1504915200 ] | append [search index=de host="*prod*" source="*memsql*" "ERROR" earliest=1500076800 latest=1504915200 ]|append [search index=de OR index=app sourcetype="solr_log" SEVERE OR ERROR earliest=1500076800 latest=1504915200 ]|eval layer = "DataService"] |stats count by layer
The query is added a a search panel to dashboard. How can i tune this query so that it gives me faster results.
↧