I tried do this with join command, but there is a problem with using field values (ts) in subsearch with event code. index=files sourcetype=test_files | search src_ip="$src_ip$" action="$action$" file_name="$name_substr$" | join type=inner src_ip [ search index="windows" EventCode=4624 src_ip="$src_ip$" | eval time="$ts$" | eval ts_u=strptime(time, "%Y-%m-%dT%H:%M:%S.%6NZ") | eval start=relative_time(ts_u,"-24h") | where _time>$$start$$ AND _time<$$ts_u$$ | stats latest(_time) AS Latest, latest(TargetUserName) AS LastUser by src_ip | eval LastEvent=strftime(Latest,"%+") | table src_ip,LastEvent,LastUser ] | table ts, action, file_name, src_ip, LastEvent, LastUser, name When I specify example of time in subsearch it works correctly. index=files sourcetype=test_files | search src_ip="$src_ip$" action="$action$" file_name="$name_substr$" | join type=inner src_ip [ search index="windows" EventCode=4624 src_ip="$src_ip$" | eval time="2021-08-12T01:48:10.327248Z" | eval ts_u=strptime(time, "%Y-%m-%dT%H:%M:%S.%6NZ") | eval start=relative_time(ts_u,"-24h") | where _time>$$start$$ AND _time<$$ts_u$$ | stats latest(_time) AS Latest, latest(TargetUserName) AS LastUser by src_ip | eval LastEvent=strftime(Latest,"%+") | table src_ip,LastEvent,LastUser ] | table ts, action, file_name, src_ip, LastEvent, LastUser, name Is there any workaround for this issue?
... View more