Hi guys,
I have a search which finds DHCP and Firewallevents with the same src_ip.
It works perfectly fine, but gives me multiple DHCP events. Which is ok, but I want to limit my search to the first DHCP event which happened BEFORE the firewallevent. I thought i could just extract the time of the firewallevent with mvindex, but unfortunately, when I type
eval new_time=mvindex(_time, -1) I get nothing, and when I type eval new_time=mvindex(_time, 0), I get all 3 timestamps of the 3 events.
I also tested this out with other fields, because is suspected that maybe _time was causing me trouble, but I have the same problems with IP fields, status fields etc.
This does not make sense to me, according to the docs I am correctly using the command, and it should just return the testtime at the index that I specified.
Does anyone have an idea why the mvindex is not working?
Thanks in advance!
... View more