I have Cisco ESA logs coming into Splunk and extractions are working as they are meant to. The logs are sent by syslog and each line of the event appears to be an entry in the index. So that I can combine a transaction in ESA I use the following spl query (mid is the common field):
Index=foo | transaction mid
This will give me the required block for a particular mid (message id) that have come through the ESA device.
I can do searches from here. For example:
index=foo | transaction mid | search spam_status = positive
For a 15 minute search, this is quite quick. However, for a 24 hour block (particularly if I am trying to do some reporting on the number of say spam is negative, positive) the search takes a very very long time. In fact, if I stop the search I end up with 0 results. For example:
index=foo | transaction mid | stats coumt by spam_status
Is there a way I can do this transaction without waiting an eternity for the search to do something (if it ever finishes)?
If I shortcut the search say with:
index=foo mid=123456 | transaction mid | stats coumt by spam_status
Then the search is fast. However, this depends on knowing the mid which will change every day so os not feasible, especially doing reports from the available logs.
↧