I use the following query to find the process mstsc.exe in a subsearch. After that i want use the results from this subsearch to find events within a timeframe, which is given also from the subsearch.
Unfortunately it is not possible to define more than one timeframe in the main search, so the OR (FORMAT function) from the subsearch is not working. How can i solve that a problem?
Thanks fo help.
| tstats summariesonly=true count AS "count_useragent" from datamodel=Web where ((nodename = Web) (Web.http_user_agent=_) (Web.dest!="*cembra.ch") [ search sourcetype="digitalguardian:process" Application_Full_Name=mstsc.exe | eval earliest=_time | eval latest=_time+60 | rename user AS Web.user | fields Web.user earliest latest | FORMAT "(" "(" "" ")" "OR" ")" ]) by _time,"Web.user","Web.dest" span=1s
... View more