All,
Any idea how I get the 10 oldest events from the search below? I need it to validate that we have 90 days of retention for an audit. Seems like I should be able to go a head 10. Seems to be there should be a faster way of doing this rather than just using the head/tail functions?
index=* host=*dcs* sourcetype="WinEventLog:Security"
Hi daniel333, tstats
looks like a good use here. For instance:
| tstats min(_time) as earliestTime where index=* host=*dcs* sourcetype="WinEventLog:Security" | convert ctime(earliestTime)
Run it over 90 or more days to get the minimum value for the events that match that search.
You could get a more informative look on retention by splitting by host, for instance:
| tstats min(_time) as earliestTime where index=* host=*dcs* sourcetype="WinEventLog:Security" by host | convert ctime(earliestTime)
To get the raw events themselves, I'd just use a custom search time that has a narrow window, like earliest=-90d@d latest=-89d@d
to make the search run faster
Please let me know if this answers your question! 😄
Hi daniel333, tstats
looks like a good use here. For instance:
| tstats min(_time) as earliestTime where index=* host=*dcs* sourcetype="WinEventLog:Security" | convert ctime(earliestTime)
Run it over 90 or more days to get the minimum value for the events that match that search.
You could get a more informative look on retention by splitting by host, for instance:
| tstats min(_time) as earliestTime where index=* host=*dcs* sourcetype="WinEventLog:Security" by host | convert ctime(earliestTime)
To get the raw events themselves, I'd just use a custom search time that has a narrow window, like earliest=-90d@d latest=-89d@d
to make the search run faster
Please let me know if this answers your question! 😄