We are collecting logs from various sources. Volume of logs are huge, nearly 20 million per day. Each log source has different field names for events like EventName, Signatures, Event, name, CloudEvent.
With such kind of data , I need to create datamodel so that when I will run a tstats search I will get the results quicker. Please someone suggest what steps I need to follow to create datamodel for top events.
Do I need to have root event and root search both?
If anyone can share parameters that I need to enter in root event constraints and root search, then that would be great.
Thanks,
↧