Help Improve my search?

dpwtheitguy · ‎01-28-2021

All,

I have this search here and it's pretty slow. Any recommendations to speed it up? Currently 250.249 seconds and that just seems high.

to4kawa · ‎01-28-2021

| tstats count where index=osnixsec sourcetype=linux:audit host=*domain.net earliest=-7d@d latest=-2h@h by host
| eval time="old"
| append [ |tstats count where  index=osnixsec sourcetype=linux:audit host=*domain.net earliest=-2h@h latest=now by host
| eval time="current"]
| stats dc(time) as flag values(time) as time max(_time) as _time by host
| where flag = 1 AND time = "old"

I think it's fast enough.

dpwtheitguy · ‎01-28-2021

Forgot about the metadata command

Any other improvements?

Help Improve my search?

other

Everything Community at .conf24!

Index This | I’m short for "configuration file.” What am I?

New Articles from Academic Learning Partners, Help Expand Lantern’s Use Case Library, ...