I can use usetime=true earlier=true to make timebased join. But when I do something like:
sourcetype="sshd" "Accepted"| rex field=_raw " (?<srv_ip>\S+) sshd" | lookup dnslookup clientip AS srv_ip OUTPUT clienthost as fqdn | rex field=_raw "for (?<local_user>\S+) from" | rex field=_raw "from (?<src_ip>\S+)" | stats max(_time) as accesstimestamp by src_ip,fqdn,local_user | join type=inner usetime=true earlier=true src_ip [search sourcetype="firewall_logs" | rename assigned_ip as src_ip | eval fwtimestamp=_time | table fwtimestamp,login,src_ip | convert timeformat="%m/%d/%Y %H:%M:%S" ctime(fwtimestamp) as fwtime | sort -fwtimestamp] | convert timeformat="%m/%d/%Y %H:%M:%S" ctime(accesstimestamp) as accesstime| fields - accesstimestamp fwtimestamp | where local_user!="root" | where login!=local_user
I can see results where fwtime>accesstime. But it shouldn't be. What's the reason?
To make it more lightweight. I use the following query (similar example):
sourcetype="web_access" | stats max(_time) as accesstime by src_ip,web_login | join type=inner usetime=true earlier=true [ search sourcetype="fw_logs" | eval fwtime=_time | table fwtime,login,src_ip] | where web_login!=login
and I can see results where fwtime>accesstime. That's weird.
Maybe stats have no information about time?
... View more