All,
I have this search here and it's pretty slow. Any recommendations to speed it up? Currently 250.249 seconds and that just seems high.
index=osnixsec sourcetype=linux:audit host=*domain.net earliest=-7d@d latest=-2h@h
NOT [ search index=osnixsec sourcetype=linux:audit host=*domain.net earliest=-2h@h latest=now | fields host | dedup host | table host ]
| fields host | dedup host | table host
| tstats count where index=osnixsec sourcetype=linux:audit host=*domain.net earliest=-7d@d latest=-2h@h by host
| eval time="old"
| append [ |tstats count where index=osnixsec sourcetype=linux:audit host=*domain.net earliest=-2h@h latest=now by host
| eval time="current"]
| stats dc(time) as flag values(time) as time max(_time) as _time by host
| where flag = 1 AND time = "old"
I think it's fast enough.
Forgot about the metadata command
| metadata type=hosts index=osnixsec sourcetype=linux:audit
| eval now = now()
| eval twohoursago = now - 3600 - 3600
| where lastTime < twohoursago
| eval _time = lastTime
| table _time, host
Any other improvements?