Hi
My query taking too long.. and its
| from datamodel:Intrusion_Detection.IDS_Attacks
| where _time>relative_time(now(),"-10s@s")
| stats values(tag) as tag,dc(signature) as count by src | where count>25
And it seems it will never return output
any idea?
What is the time window being searched? How large is the data set being searched? Why use where instead of selecting -10s from the time picker?