I've got a search that does a |table prior to doing an |eval for ldapfilter. The search results are displayed in a seemingly random order (not the order specified after |table). Is there a better way to do this so I can specify the results display order?
index=blah |table _time,UserName,displayName,IpAddress |eval ID=UserName |ldapfilter search="(&(samAccountName=$ID$))" attrs="displayName"
Note: For some reason doing the order of |table vs. |eval |ldapfilter heavily impacts search performance.
Faster (11-12 secs): index=blah |table _time,UserName,displayName,IpAddress |eval ID=UserName |ldapfilter search="(&(samAccountName=$ID$))" attrs="displayName"
Much slower (116-117 secs): index=blah |eval ID=UserName |ldapfilter search="(&(samAccountName=$ID$))" attrs="displayName" |table _time,UserName,displayName,IpAddress
↧