My company is heavily using CIM accelerated data models for our security monitoring. We are currently experiencing performance issues and we think that data model acceleration is contributing to them. The searches that accelerate these data models are consistently the top memory-using searches, they run for a long time, and they are often behind. Is there a way to optimize these searches so that they aren't as taxing on the system? Here's how we have the CIM macros set up:
(index="index1" AND sourcetype="sourcetype1")
OR (index="index2" AND (sourcetype="sourcetype2" OR sourcetype="sourcetype3")
OR (index="index3" AND sourcetype="sourcetype4")
And so forth. Any suggestions? We are on version 7.0.4.
↧