HI..
Wen i am trying to search raw events for my query .. say something like this.
report_name="MainReport" (xmlg_message="Request document" OR b2b_LText="Received request " OR MESSAGEID="*StartInbound")(index="A" OR index="B" OR index="C") (sourcetype="A" OR sourcetype="B" OR sourcetype="C") | fields index,SessionID,XMLG_ID,tradingPartnerId,tradingPartnerName,b2b_LText,xmlg_message,MESSAGEID | eval channel=case(index=="A","A Channel",index=="B" ,"B Channel",index=="C","C Channel")
its giving me results for last 7 days in 2:38 minutes...scanning 21 million events and matching 4 million events . but wen i put a stats command to this... it is running almost 17 minutes to complete the search.... pls help ..is this the expected performace from stats....??
Query with stats..
report_name="MainReport" (xmlg_message="Request document" OR b2b_LText="Received request " OR MESSAGEID="*StartInbound")(index="A" OR index="B" OR index="C") (sourcetype="A" OR sourcetype="B" OR sourcetype="C") | fields index,SessionID,XMLG_ID,tradingPartnerId,tradingPartnerName,b2b_LText,xmlg_message,MESSAGEID | eval channel=case(index=="A","A Channel",index=="B" ,"B Channel",index=="C","C Channel") | fillnull value=UNKNOWN | stats count by SessionID,XMLG_ID,channel,tradingPartnerId,tradingPartnerName
Please help...how can i finetune to run faster as normal raw events search.. ??
