When Run below Search in a Fast mode for last 7 days it is taking Time more than 60 minutes which is giving results and still taking time ?Is there a way that I can modify my search to get results in lesser Time? Please help?
Query =
index=pan_logs OR index=cisco_395
(sourcetype="test" OR sourcetype="test2" OR sourcetype="test3")
(dest="a" OR dest="b" OR dest="c" OR dest= "d" OR dest="e" OR dest="f" )
| lookup test.csv IP as src
| search PCI=y
| dedup dest_port src dest host rule
| table _time dest_port src dest host rule action
↧