Video Screencast Help

any max running time limit of SSIM query?

Created: 04 Aug 2013 | 1 comment

In these days, I found some long time range (ex: monthly) events queries (such as Top 10 Connection accepted Dst IPs) could not finished in several days. Is there any max running time limit of slow SSIM query? Or any suggestion/solution? Thank you for your support!

SSIM version:

Dataset: Fortinet Firewall accepted/rejected connections (EPS: approx. 800)

Time range: monthly or Weekly

Operating Systems:

Comments 1 CommentJump to latest comment

Tariq Naik's picture

Running queries for several days definitely will not help. There are a few things you should look at: -

  1. Is the server sized correctly. When you size the hardware, you should size it for existing expected peak EPS + 3 years EPS growth potential + 30% for querying. It is important to leave room for querying for good query performance.
  2. You can enable a any summarizers related to your queries. This must be done carefully as summarizers have a performance overhead of their own.
  3. You can also work with support or Symantec Services to enable indexing of additional fields that may help your queries. This must be done carefully as this will also have a performance overhead.

Hope this helps.