Hi, I am trying to ingest botsv2 and botsv3 indexed data into security essentials for demo and learning purposes, but the onboarding background search only checks the data in the last 30 days, the two types of BOTs datasets are about 6 years ago,  I want to know how to modify such onboarding search to expand its search time? ... View more

I have a boat load of log files, whose name contains the timestamp, like this : /DATA/show_cpu.2016101908.gz /DATA/show_cpu.2016102108.gz I only want to check the event in the latest file, so I tried following command: index="-cli" source="show_cpu" | stats latest(source) by deviceId,fiveMinutes,timeStamp* Unfortunately, the search results contains the events from other source file. Please help out. ... View more