Hi,
I wonder whether someone may be able to help me please.
I have created in a separate search with a lookup table containing src_user, StartTime, and action (which its value is connected): It adds all the connected users to lookup table with the time:
source=........ VPNaction=connected |dedup src_user _time |eval
StartTime=strftime(_time,"%m/%d/%Y %H:%M:%S") |eval action=VPNaction|table src_user StartTime action
|outputlookup ConnectedVpn.csv createinapp=true
Now I want to look for the ended connection and compare the end time and start time:
source=..... VPNaction=ended |dedup src_user _time |eval
EndTime=strftime(_time,"%m/%d/%Y %H:%M:%S") |eval action=VPNaction|table src_user EndTime action | lookup ConnectedVpn.csv src_user OUTPUT StartTime |eval diff=EndTime-StartTime|table src_user StartTime action EndTime diff
How can I remove the row of the user whose connection is ended from ConnectedVpn.csv, otherwise it will cause problem for its next start.
Thank you
... View more