Hello there,
This works, thank you.
Still, it takes ages to run, even on a short period of time.
The reason for that is that we have lots of users, and i mean LOTS.
When I inspect the search, the original "NOT [search sourcetype=server_b "New connection to server B" | dedup user| fields user]" becomes something like :
NOT ( ( user="xxxx1" ) OR ( da_user="xxxx2" ) OR ( da_user="xxxx3" ) OR ( da_user="xxxxx3" ) OR ( da_username="www") .......)
And this goes on and on and on, the total number of users in the "NOT" is around 40,000.
I guess this explains why the search takes forever to complete.
Any suggestions on how to improve the performance here ?
Summary indexing does not look like a good option as I'd need to "remove" information from my summary index in this case. I thought about an intermediary lookup table that would include the username and the last connection time but i'm not sure it'd make things faster.
Thoughts ? Suggestions ?
Thanks a lot in advance
Mat
... View more