I have Cisco ESA logs coming into Splunk and extractions are working as they are meant to. The logs are sent by syslog and each line of the event appears to be an entry in the index. So that I can combine a transaction in ESA I use the following spl query (mid is the common field)
Index=foo | transaction mid
This will give me the required block for a particular mid (message id) that has come through the ESA device.
I can do searches from here. For example:
index=foo | transaction mid | search spam_status = positive
For a 15 minute search this is quoye quick. However for a 24 hour block (particularly if I am trying to do some reporting on the number of say spam is negative, positive) the search takes a very very long time. In fact if I stop the search I end up woth 0 results. For example
index=foo | transaction mid | stats coumt by spam_status
Is there a way I can do this transaction without waiting an eternity for the search to do something (if it ever finishes)?
If I shortcut the search say with
index=foo mid=123456 | transaction mid | stats coumt by spam_status
Then the search is fast. However this depends on knowing the mid which will change everyday so os not feasible, especially doing reports from the available logs.
↧