Hi All,
index="XXX" |stats latest(_time) as last_seen,values(ID) as ID, count by IP_Add | eval Filter=if(count%2==0,"Even","Odd") | search Filter="Odd" |eval hours_since=(now()-last_seen) | convert timeformat="%d-%b-%y %H:%M" ctime(last_seen) | eval readable = tostring(hours_since, "duration") | sort - last_seen | rename readable as "Running for: Days+:HH:MM:SS", last_seen as "Started",IP_Add as "IP" | table ID IP Started "Running for: Days+:HH:MM:SS" count |
How do i increase count to +1 for every let's say 10 minutes that shows on duration until the stop event is received?
Thanks!!
... View more