I am running into a concurrent search / disk quota limit with a custom app I have written. The app sits on my ES search head as the data for an investigation is there and the spot most of our analysts will use. My dashboard has 11 panels in it and I tried to use post-process searches but I think my queries were wrong and hence I deleted my app so I can recreate from scratch (I backed up the config). The search itself looks for a certain set of EventCodes that are produced by Windows to deal with mostly group additions. What I would like to know is how I can optimise my search so that I am using "1" search and not "13" + the ES searches which is grinding once specific account to sit with a permanent "waiting for data".
This was my **original** script (note that I had a search id as my top search but in the panel I wasn't referencing this as I was missing the search base) in each panel.
The other panels are pretty much a copy and paste but follow a similar vain, for example
Enterprise Admin Change | search EventCode="4756" AND Group_Name="Enterprise Admins" AND action = "success"
| timechart dc(Group_Name) span=24h
| appendpipe [stats count
| where count=0]
If I fixed this up, my search panel should look something like (add base= in search tag)
Enterprise Admin Change | search EventCode="4756" AND Group_Name="Enterprise Admins" AND action = "success"
| timechart dc(Group_Name) span=24h
| appendpipe [stats count
| where count=0]
Is this the best way to do this so that effectively a dashboard like this uses 1 search but then post-processing it takes the existing data based on the query in each relevant panel? Can I optimize this any further. I considered maybe taking out **fields *** and being prescriptive of what values to pull out.
Would be great to get some thoughts around optimisation here. Thanks.
↧