Hal Pomeranz · Apr 15, 2021 · 10:03 PM UTC

Hal Pomeranz · Apr 15, 2021 · 10:03 PM UTC

Hal Pomeranz @hal_pomeranz

15 Apr 2021

Complex query run over 4.5T of CloudTrail data-- jq + xargs (for parallelism) banged it out in under 4hrs #CommandLineSkillz

Apr 15, 2021 · 10:03 PM UTC

Hal Pomeranz · Apr 15, 2021 · 10:25 PM UTC

Hal Pomeranz @hal_pomeranz

15 Apr 2021

Replying to @codeslack

650K or so

Hal Pomeranz · Apr 15, 2021 · 10:36 PM UTC

Hal Pomeranz @hal_pomeranz

15 Apr 2021

Replying to @codeslack

Uncompressed files on local disk. -P 64 on a 72 core system.

Hal Pomeranz · Apr 16, 2021 · 1:06 AM UTC

Hal Pomeranz @hal_pomeranz

16 Apr 2021

Replying to @codeslack

Oh yes, the disk situation is definitely a bottleneck. I could see the load and I/O wait shooting up.

J P · Apr 15, 2021 · 10:11 PM UTC

J P @JPoForenso

15 Apr 2021

Highly recommend checking out Athena to query CT logs from S3. Exponential time savings and relatively cheap (as compared to using other services/methods). Even better time & cost savings w/ partition mgmt. docs.aws.amazon.com/athena/l… workshop.aws-management.tool… wellarchitectedlabs.com/secu…