I want to create a search that will look over the last 30 days of vulnerability events and only retain those events that are from the most recent scan of a host. I can think of a few ways to do that, but I'm wondering if there is a more efficient way that I'm missing...
Create a lookup table with the max(_time) and dest and use a lookup+where clause to only retain events where _time=max(_time)
Use a join command to join the output of a "stats max(_time) by dest" subsearch to the original events and use where to filter them.
Use a multisearch with one search for the vulnerability events and another that does the "stats max(_time) by dest" and use a transaction to bind them together and then filter with where.
I could also probably do it with the map command...
What is the best route to solve this problem?
↧