I am trying to chart initial logins over time as follows:
index="abc" sourcetype="*apache_access" NOT remote_ident="-" | table _time remote_ident | stats earliest(_time) as _time BY remote_ident | timechart count
but the search is excruciatingly slow.
Any performance tips would be appreciated.
Thanks,
-Yisroel