Hi,
I am running use cases right out of the app. So for example, I run the "Increase in # of Hosts Logged into" Use case which is a search query - index=* sourcetype=win*security (4624 OR 4647 OR 4648 OR 551 OR 552 OR 540 OR 528 OR 4768 OR 4769 OR 4770 OR 4771 OR 4768 OR 4774 OR 4776 OR 4778 OR 4779 OR 672 OR 673 OR 674 OR 675 OR 678 OR 680 OR 682 OR 683) | bucket _time span=1d | stats dc(host) as count by user _time and it queries the last 30 days.
The search takes an extremely long time to run. This concerns me as I don't know if I can schedule these off hours and have a daily report emailed to me. The goal is to try and create alerts for these kinds of activities as I don't want to manually run these queries.
... View more