Hi,
I'm working on a use case with the purpose of investigating user activity over time from multiple log sources and then visualize this on a timeline (Timeline - Custom Visualization app)
Currently I'm combining data models (CIM) with append, but looking at performance this is not efficient and searches takes too long to complete with just a short time-frame specified. The search looks like this at the moment:
| tstats count from datamodel=Authentication where Authentication.action="*" Authentication.user="*" Authentication.user!="unknown" by _time,Authentication.action,Authentication.user,Authentication.app,Authentication.src,Authentication.dest | `drop_dm_object_name("Authentication")` | append [| tstats count from datamodel=Web where Web.action="*" Web.user="*" Web.user!="unknown" by _time,Web.action,Web.user,Web.app,Web.src,Web.dest | `drop_dm_object_name("Web")`] | append [| tstats count from datamodel=Network_Traffic where All_Traffic.action="*" All_Traffic.user="*" All_Traffic.user!="unknown" by _time,All_Traffic.action,All_Traffic.user,All_Traffic.app,All_Traffic.src,All_Traffic.dest | `drop_dm_object_name("All_Traffic")`] | transaction user | fields - *.app,*.user,*.action,*.src,*.dest
Only some of the data models are accelerated, such as Web. And my current understanding is that if I also add `summariesonly=true` to the Web data model in the search above, all other data models that are not accelerated will be excluded from the search?
The sourcetypes are known to me and I could use subsearches instead of data models, but believe this is the best I got to work with at the moment?
Any suggestions to improve the above search or taking a different approach for this use case?
Cheers!
↧