Hi,
I am facing a subsearch performance problem. My goal is to have Bluecoat events filtered only to specific IP's coming from my firewall and having as a result the URL accessed by each IP.
My search looks like this:
index = bluecoat [search index=checkpoint rule=rule1 OR rule=rule2 AND rule_uid=id1 OR rule_uid=id2 OR rule_uid=id3 OR rule_uid=id4 |fields src_ip | lookup dnslookup clienthost as src_ip output clientip as src_ip | dedup src_ip | table src_ip] | stats values(URL) by src_ip
Now I found a couple of alternative suggestions to use eventstats or similar to prevent the subsearch, but wasn't able to create it by myself. Can anyone help to point me to the right direction?
... View more