Hi,
I have a search that is taking waaaaaaaaayyyyyyyyy too long and am looking for idea on how to improve it, be it tstats/datamodels/fields....
Here's my search (active directory data)
index=AD | regex host=(?i)\w+ads$ | regex EventCode="^462([4,5])|4634|4648|4661|4696|4723|476([1,8,9])|477([0,1,2,6])|563([2.3])|5140$$" | stats count
I stopped it when it had been running for 710 seconds, and didn't appear to be even 50% complete.
Thoughts?
↧