The following changes will make the command work reliably in a larger environment.
1. Fix to allow tstats to work with the command:
Edit line 30 in the levenshtein.py in bin: replace the if '_raw' in r with the following.
if string1 in r and string2 in r:
2. Add to commands.conf:
retainsevents=true
streaming=true
If you make the above changes you will be able to use the command with tstats across data models like the Network Resolution for DNS queries. This will perform much faster due to accelerated data models over normal SPL index=... sourcetype=... type searches.
↧