Hi @Taruchit , at first don't use the search command when you cn put all the parameters in the main search. Then I'd avoid to use all time in a search because you could have too many events, but de...
See more...
Hi @Taruchit , at first don't use the search command when you cn put all the parameters in the main search. Then I'd avoid to use all time in a search because you could have too many events, but define a useful timerange. index=_audit action=search provenance=* info=completed host IN (...) (apiStartTime="ZERO_TIME" OR apiEndTime="ZERO_TIME")
| table user, apiStartTime, apiEndTime, search_,et, search_lt, search
| convert ctime(search_*) about the meaning of the results, they dependsa on the parameters you defined, probably with apiEndTime="ZERO_TIME" you don't have the apiStartTime field. Analyze your search and modify it to have the best results for you. Ciao. Giuseppe