Hello.
I have this search:
index="flow" earliest=-15m latest=now
| append [search index="flow" earliest=-15m latest=-60s
| eventstats sum(cli2srv_bytes_full) as upload_by_local_ip2 sum(srv2cli_bytes_full) as download_by_local_ip2 by local_ip, remote_ip
| dedup local_ip remote_ip
| table new_time local_ip remote_ip upload_by_local_ip2 download_by_local_ip2
| outputlookup append=false flows_search.csv
]
| lookup flows_search.csv local_ip remote_ip OUTPUT upload_by_local_ip2, download_by_local_ip2
| eventstats sum(cli2srv_bytes_full) as upload_by_local_ip sum(srv2cli_bytes_full) as download_by_local_ip by local_ip, remote_ip
| dedup local_ip remote_ip
| eval upload_by_local_ip2 = if(isnull(upload_by_local_ip2), 0, upload_by_local_ip2)
| eval download_by_local_ip2 = if(isnull(download_by_local_ip2), 0, download_by_local_ip2)
| eval limit = upload_by_local_ip - upload_by_local_ip2
So, I calculated transmitted bytes from -15m to now, -15m to -1m, and view how it changes and this is the question:
I think it was difficult codes and have overhead.
How do I optimize the search?
Thanks in advance.
... View more