![]() This search has completed and has returned 124,758 results by scanning 135,534 events in 7.001 seconds This search has completed and has returned 311,256 results by scanning 343,584 events in 13.126 seconds This search has completed and has returned 124,758 results by scanning 135,534 events in 6.858 seconds This search has completed and has returned 311,256 results by scanning 343,584 events in 13.057 seconds This search has completed and has returned 124,758 results by scanning 135,534 events in 6.974 seconds eventtype=qualys_vm_detection_event NOT () I had to add some parentheses around the subsearch. Next up is I really like the elegance of this solution. This search has completed and has returned 311,256 results by scanning 343,584 events in 18.323 seconds ![]() This search has completed and has returned 124,758 results by scanning 135,534 events in 10.319 seconds When I tried regex trick, it didn't filter anything out. This search has completed and has returned 311,256 results by scanning 343,584 events in 13.116 seconds This search has completed and has returned 124,758 results by scanning 135,534 events in 6.986 seconds This search has completed and has returned 343,584 results by scanning 343,584 events in 13.817 seconds This search has completed and has returned 135,534 results by scanning 135,534 events in 7.27 seconds Tests were done in the evening with no other users on the SH.įirst a control. I'm running v6.6.3 on a stand alone search head with 3 indexers. So I built a query for all the options above and ran them over a 24 hour period using Fast Mode. Here's a basic join version.Wow, look at all the options! This required some testing! So I have Qualys data and was sent a list of 43 QIDs they want filtered out. | fields index field2 whatever you need from field2 record Index=foo2 some other search for records with field2 | fields index field1 whatever you need from field1 record (index=foo1 some other search for record with field1) | eval matchfield=coalesce(field1,field2) | fields index field1 field2 whatever you need from either record (index=foo2 some other search for records with field2) (index=foo1 some other search for record with field1) OR Try to use this form if you can, because it's usually most efficient. If you are trying to take different events and connect them, then you need to use stats, join, lookup, or one of a half dozen other verbs, as appropriate to your use case. The answers you are getting have to do with testing whether fields on a single event are equal. I think you may be making some incorrect assumptions about how things work.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |