I have a query that is taking up too many resources I am told. I decided to break it up into two smaller reports (one for the first 12 hours yesterday, one for the last 12 hours yesterday).
How do I add this to the query without using the drop down options or manually changing the period of time? Current report:
index=main source="/var/log/bwi/lanwan" VIP="*prod*" VIP=*etw* CN="*" | rex field=_raw "(^.*protocol=|^.*\s(via).*\snegotiated\sProtocol\s)(?<Protocol>.*?)\s(cipher=|with\sCipher\s)(?<Cipher>\w+-*\w*)" | dedup CN | rename CN AS PropertyNumber, OU AS PropertyName | eventstats max(time_in_sec), min(time_in_sec) avg(time_in_sec), first(_time) as latest_time by PropertyNumber | table PropertyNumber,PropertyName,Protocol,Cipher,_time
... View more