I have a query that is being blocked from retrieving all relevant data due to policy to keep queries under 500mb, is there anyway I could optimize this query?
index=Nitro_server=xs_json earliest=-48h
| rename hdr.nitro as nitro_loc
| join type=inner
[ inputlookup nitro_loc.csv
| search TimeZone="C" OR "CDT"
| eval nitro_loc=case(len(STORE)==4,STORE,len(STORE)==3,"0".STORE,len(STORE)==2,"00".STORE,len(STORE)==1,"000".STORE) ]
| search Model="*v10*" nitro_loc="*" FirmwareVersion = *
| dedup "Mac_Address"
| stats count by FirmwareVersion TimeZone
Any suggestions would be appreciated!
↧