I'm working on some statistics related queries. I'm trying to get the security id, date and count of hosts connected to.
index=wineventlog sourcetype="WinEventLog:Security" 4624 |
fields host,Security_ID,_time |
bucket _time span=1d |
stats dc(host) by Security_ID, _time
They work perfectly until I start adding Security_ID. With no `by` command or only based on time it's fast.
I also tried to do a `dedup Security_ID, _time, host` before the stats dc command but it didn't help the overall speed.
It takes well over 10 minutes to complete this search for a week, and I'd like to be able to run this for 30 60 or 90 days. What do I need to do for that to be viable?
↧