I want to gather specific information out of unique sessions. There are 4 bits of information, I've been able to gather 2 of each, but not all 4 together in a search.
I would start with the unique session ID of the log, which is contained in every line of the log, followed by two strings in quotes which show the full log line that contains those strings which is what I want as what follows after it is unique.
UniqueSessionID "connected to" OR "IN IP4 "
What that does, is immediately show me the full log line that is contains those phrases where I can immediately see the unique IP address right after it.
Now the other two bits of information I want is to show me the very first or earliest log line/event and the last/latest log line/event. What can I add that will show me this information? The only thing I want out of the first and last log line is just the timestamp.
Another approach I saw on these forums was:
stats earliest(_time) AS Earliest, latest(_time) AS Latest | eval FirstEvent=strftime(Earliest,"%+") | eval LastEvent=strftime(Latest,"%+")
This definitely shows me the first timestamp and last timestamp under "FirstEvent" and "LastEvent", however I put in UniqueSessionID "connected to" OR "IN IP4 ", it's ignored.
Any suggestions please?
... View more