Why cant I Parse my search in the background? I have a fairly large search that I am trying to run and it will take a few hours to complete. It will be great to run this search in the background, but the option is grayed out when it is Parsing. How do I get around this?
This is my search and I need to run this for the last 3 months and turn it into a bar graph and a pie chart
sourcetype="digitalguardian:events" eventtype=egress_email Email_Sender="*@*" File_Type=* Operation="Send Mail" Domain_Name=SOUTH32| top limit=20 File_Type | addtotals row=f col=t labelfield=File_Type label=Email| search File_Type=Email count=* |fields - percent| append maxtime=300000 [ search sourcetype="digitalguardian:events" eventtype=egress_ntu Operation="Network Transfer Upload" File_Type=* Was_Removable=False Domain_Name=SOUTH32 | top File_Type | addtotals row=f col=t labelfield=File_Type label=Upload | search File_Type=Upload count=* |fields - percent] | append maxtime=300000 [search sourcetype="digitalguardian:events" eventtype=egress_removable Was_Removable=True File_Type=* Operation=* Domain_Name=SOUTH32 | top limit=20 File_Type | addtotals row=f col=t labelfield=File_Type label=Removable | search File_Type=Removable count=* |fields - percent]
↧