we have a slow running search to pull the Account name from windows security logs.
index=security sourcetype="WinEventLog:*" object="WinEventLog:Security" | eval SID=Upper(SID) | stats Last(SID) as SID by host | Lookup Phonebook_Lookup SID as SID Output First_Name Last_Name Region | Table host SID First_Name Last_Name | Sort host
Any assistance in optimizing this query would be much appreciated.
↧