I’m looking for a way to run a search on the results of a previous search. Subsearch won't work because I don't know what the second search will be until I get the results of the first.
The situation I keep finding myself in is after running a search that takes a long time and returns many events, I find a key/value that I want to use to narrow down the results to a smaller set. I.E. a search that returns all traffic logs and evaluates for the IPs with the highest bandwidth. Then I could want to filter that to workstation subnets and still evaluate for the highest bandwidth. And then search for all traffic from the top N workstations and evaluate for the highest bandwidth destination or service. Or go back to the original search and filter that to server subnets.
Instead of adding each new filter to the original search running it again and waiting, I’d like to search through the events that were first returned, drastically reducing the time it would take to run.
I’ve looked at the `loadjob` command but that has a limit of 25,000 events.
I've looked at the `sitop` command but that limits the second search to just a `top`. As far as I know `top` is limited to a count of events by field and I'm looking for more than just the count. In the example above I would need to make a summary of the sum of bandwidth.
Is there a way to save ALL of the results of a search and then run a search and/or transformation on those results?
I appreciate any advice you could give.
-BR
↧