When I run the simple search
host=hostname source="/var/log/audit/audit.log" | transaction fields=msg | search keyword
and select "Last 60 minutes" or larger, I get No results found
but if I run the exact same search and select "Last 15 minutes" I get results.
I am running on a 6 month 50G trial license - and have only ingested under 2G on any given day (only a few day old test system)
Running on a RHEL 6 VM - with 4 CPUs and 5GB memory - plenty of hard drive
↧