Dear all,
I have a following search
host="1.1.1.1" VPN=A | join IP [search host="1.1.1.1" VPN=b] table _time,username
May I know is it possible give a name to the main search and sub search, such as searchA and searchB. so when I create a table, I can call out searchA._time and searchB._time
Thanks
Hi ,
You can try something like this to extract the _time value from main search or sub search .
host="1.1.1.1" VPN=A | eval OuterTime=_time| join IP [search host="1.1.1.1" VPN=b | eval InnerTime=_time ] table _time,username
OuterTime InnerTime
For such requirement, I would prefer to use stats command as it is much faster.
Hi ,
You can try something like this to extract the _time value from main search or sub search .
host="1.1.1.1" VPN=A | eval OuterTime=_time| join IP [search host="1.1.1.1" VPN=b | eval InnerTime=_time ] table _time,username
OuterTime InnerTime
For such requirement, I would prefer to use stats command as it is much faster.
thanks a lot. It seems work but the time show sequence number. do you know why
Hi ,
The time format will be epoch timestamp and you need to convert to Human readable format using below command.
your search .. |convert timeformat="%Y %b %d %H:%M:%S:%3N" ctime(OuterTime) ctime(InnerTime)
Hope this resolves your query.
Additionally if this solves your query, please mark this thread as answered.
It works. Thanks a lot
You cannot name a search by you can achieve what you're looking for by renaming the fields in each of the searches, like so.
host="1.1.1.1" VPN=A | eval searchA_time=_time | join IP [search host="1.1.1.1" VPN=b | eval searchB_time=_time | fields searchB_time ] table searchA_time searchB_time username