Hi,
I've got these strange XML logs, where each log has (among other things) a username and an arbitrary number of hashes, each stored in its own XML field. A simplified version of the log is shown below.
[...]hettervi sdflkjsdf sdfoiujkalw [...]powkerldsf
There are usually no more than around 13-14 hashes for each event, and what I'm trying to do is to count by users and hashes. To do this I've used the foreach and mvappend command to make the XML fields into a multivalue field, and then count the by that new multivalue field, like shown in the search below.
| foreach hash* [ eval hashes=mvappend(hashes, '<>')]
| stats count by hashes user
The problem is this is quite slow, mostly due to the big amount of logs. I've looked into making a multivalue indexed field so that I can use tstats instead of stats, or use an accelerated datamodel with a multivalue field for the hashes, but as far as I can tell this isn't possible. Any idea on how I can make this search faster, e.g. by doing some indexing and tstats magic?
↧