AWG Blogs

Sunday, October 2, 2011

Multi-threading SSIM Event Search

To ensure your search is multithreaded (and thus faster) as of 4.7.4.x you must break your search into separate archives. Note, that SSIM is agnostic when it comes to archives: an "archive" is simply a directory with .edx, .key, .ndx, .sar, .tdx, .vdx files. However, an official archive will have an indexed_event_fields.txt file in it.

One quick way to do this is unzip the Archive_CLI tool and run the search from the command line, inputing archives separated by a comma, e.g.:date;java -server -Xmx512m -verbose:gc -XX:+UseConcMarkSweepGC -XX:+PrintGCTimeStamps -XX:+PrintGCDetails -jar simsar.jar -a /eventarchive/pixarchive1/,/eventarchive/pixarchive2/,/eventarchive/default,/eventarchive/ssimlogs -q "destination_ip = \"192.168.1.1\" & (destination_port = 80 | destination_port = 8080)" -c -S "," -r events.csv -V;date
Note the extra flags are for monitoring garbage collection. Check the threads in top to verify parallelism.