My search is simple:
sourcetype=log_data | iplocation c_ip | geostats latfield=lat longfield=lon count
but I have a lot of data, about 100,000,000 logs a day, and the customer wants a monthly summary. A monthly search would be too slow. I'd like to be able to write a daily summary and schedule it, but there is no summary indexing for the geostats command. (**si**geostats ). Ideas on another way to approach this?
↧