The solution to this "breaking up large timeframe into smaller timeframes" uses macros. Macro and the search are listed below: Search Query over 7 days (split up into 7 searches) - each of the macros updates the lookup table and also checks only indexes that haven't been checked for log4j. Therefore, it speeds up as more indexes are searched. The next step of this process is to use the same type of macro to narrow down affected sourcetypes. NOT [| inputlookup log4j_indexes.csv | table index]
[| makeresults
| addinfo
| eval latest=relative_time(info_max_time,"@d")
| eval earliest=latest-(24*60*60)
| eval earliest=strftime(earliest, "%m/%d/%Y:%H:%M:%S")
| eval latest=strftime(latest, "%m/%d/%Y:%H:%M:%S")
| table earliest latest]
| regex _raw="(\$|%24)(\{|%7B)([^jJ]*[jJ])([^nN]*[nN])([^dD]*[dD])([^iI]*[iI])(:|%3A|\$|%24|}|%7D)"
| table index
| inputlookup append=true log4j_indexes.csv
| dedup index
| outputlookup log4j_indexes.csv
| `lookup_updater_ultra(lookup_table="log4j_indexes.csv",lookup_field="index",day=1,search_command="regex _raw=\"(\$|%24)(\{|%7B)([^jJ]*[jJ])([^nN]*[nN])([^dD]*[dD])([^iI]*[iI])(:|%3A|\$|%24|}|%7D)\"")`
| `lookup_updater_ultra(lookup_table="log4j_indexes.csv",lookup_field="index",day=2,search_command="regex _raw=\"(\$|%24)(\{|%7B)([^jJ]*[jJ])([^nN]*[nN])([^dD]*[dD])([^iI]*[iI])(:|%3A|\$|%24|}|%7D)\"")`
| `lookup_updater_ultra(lookup_table="log4j_indexes.csv",lookup_field="index",day=3,search_command="regex _raw=\"(\$|%24)(\{|%7B)([^jJ]*[jJ])([^nN]*[nN])([^dD]*[dD])([^iI]*[iI])(:|%3A|\$|%24|}|%7D)\"")`
| `lookup_updater_ultra(lookup_table="log4j_indexes.csv",lookup_field="index",day=4,search_command="regex _raw=\"(\$|%24)(\{|%7B)([^jJ]*[jJ])([^nN]*[nN])([^dD]*[dD])([^iI]*[iI])(:|%3A|\$|%24|}|%7D)\"")`
| `lookup_updater_ultra(lookup_table="log4j_indexes.csv",lookup_field="index",day=5,search_command="regex _raw=\"(\$|%24)(\{|%7B)([^jJ]*[jJ])([^nN]*[nN])([^dD]*[dD])([^iI]*[iI])(:|%3A|\$|%24|}|%7D)\"")`
| `lookup_updater_ultra(lookup_table="log4j_indexes.csv",lookup_field="index",day=6,search_command="regex _raw=\"(\$|%24)(\{|%7B)([^jJ]*[jJ])([^nN]*[nN])([^dD]*[dD])([^iI]*[iI])(:|%3A|\$|%24|}|%7D)\"")`
| `lookup_updater_ultra(lookup_table="log4j_indexes.csv",lookup_field="index",day=7,search_command="regex _raw=\"(\$|%24)(\{|%7B)([^jJ]*[jJ])([^nN]*[nN])([^dD]*[dD])([^iI]*[iI])(:|%3A|\$|%24|}|%7D)\"")`
| append [| inputlookup log4j_indexes.csv] Lookup Table Updater Macro append
[search NOT [| inputlookup $lookup_table$ | table $lookup_field$]
[| makeresults
| addinfo
| eval latest=relative_time(info_max_time,"-$day$d@d")
| eval earliest=latest-(24*60*60)
| eval earliest=strftime(earliest, "%m/%d/%Y:%H:%M:%S")
| eval latest=strftime(latest, "%m/%d/%Y:%H:%M:%S")
| table earliest latest]
| $search_command$
| inputlookup append=true $lookup_table$
| dedup $lookup_field$
| outputlookup $lookup_table$] Possible Improvements: Recursive macros You could have an if statement within the macro that sort of acts like a for loop and recursively calls the next day down. Example: You are searching 7 days so put 7 as an argument to the macro. It then checks using eval - "IF day is more than 1 then pass that same macro with current_day-1 as the day argument - ELSE pass 1".
... View more