In for wanting this answered. ... View more

This is much better, thank you. ... View more

I had not seen that one. Thanks! Reading the threads now. ... View more

This sounds like what I'm dealing with. I'll confirm then give you the 'accept' on your answer. Thanks! ... View more

Both are being searched in Verbose mode. That was one of my thoughts but even in Fast or Smart this same thing happens. ... View more

It's alright, you're helping me get much farther then just googling to solve this. So I've been able to confirm that the timestring gets listen into the fields on the search now and matches for the events that i wanted it to pull up. But when I run a | where timestring=_time I get nothing back as a match. But if I visually look at the two fields they're the same _time and timestring. So I'm not sure why that would be a failing search. I feel like this should be what I need now. Maybe I have a space or something wrong? Edit: timestringfield 2018-01-10T15:04:25.000-06:00 _time 2018-01-10T15:04:25.000-06:00 Why isn't the where timestringfield=_time search working? They match on the events I want. edit 2: Got it working. Thanks for all the help, just had to combine several of your answers together for it. | from datamodel:"Apps"."All_Apps" | search source="Access - Apps - Rule" | eval timestring=strptime("1/10/18 3:04:25.000 PM" , "%x %I:%M:%S.%3Q %p") | where timestring=_time Thanks soo much. ... View more

The timestamp is close but _time (2018-01-01T14:00:20.000-06:00) has the -06:00 on it which isn't getting translated over from the date the token provides (not sure what this part of the timestamp is called). I think this is what's causing me from being able to simply do this as your last suggestion shows and do a direct match. Could I wildcard this in some way to get around that? If I could figure out a way to search for events around that time (5min) that would probably be enough for us. This is a pretty small dataset. ... View more

I don't think this is what I'm looking to do, not that I know XML well enough to tell. The search timeframe is 24 hours for this search. Since we're always working with recent data. What I'm trying to do is search with the output of another dashboard I put into a token. But that output isn't the correct format to search it to match against "_time". So I wanted to convert it over so I could search it using _time. This will pull up 2 or 3 events that explain what happened in a certain situation but the only thing tying these events together is when they where logged. ( I wanted to fix this on this side, since we already do other things with this output in the syntax it's in and I'm not looking to open that can of worms. So my token can't come through in the correct syntax) ... View more

What I've got, maybe I went wrong with this but I'm not quite sure on how to finish it. My token that's passed into this is called "timevalue", which will be an input like i said above (1/1/18 2:00:20.000 PM). This is taken from another dashboard result. | from datamodel:"Apps"."All_Apps" | search source="Access - Apps - Rule" (This is the dataset I'm searching in) | eval timeformat1="$timevalue$" | eval timeformat2=strftime(strptime(timeformat1, "%x %I:%M:%S.%3Q %p"), "%FT%H:%M:%S.%3Q") What would I add onto this now that I've converted the time I had to the _time value to search it? I want to search for the events that happened at that exact time. (This is how we're correlating two events to eachother since if they got into this datamodel they're related, but the only data we have to search for what we want is the time value.) ... View more

Okay, This makes more sense now. I'm going to give this a try and i'll be back to accept your answer when I get it working. Thanks much. ... View more

Thanks for pointing me in a direction for research. I got an answer that is working for me above but I'm going to take your advice and see how well that does. ... View more

index=Events EventType="Logon" | dedup userID | stats list(user) by ip I dedup the userID before I did the stats command so it would only pull a single UserID. Did I just go about that weird and created my issue? I think I just answered my own question here with your first suggestion. I did the "Index=Events EventType="Logon" | dedup userID | | stats list(userID) as users count by IP | sort 0 - count" And this is working as I wanted. Giving unique users per IP with a count I can sort on. Thanks! ... View more

Okay, I wasn't sure if this was a good application for that since I'm not looking in TONS of data. Thanks, ... View more

I thought i had done that, Thanks for the reminder. ... View more

Thank you, this is exactly what I wanted. I knew it had to be a simple option i just couldn't find. ... View more

This is working but it doesn't seem to have a load or speed benefit. Might even be slower. Thanks for the attempt though. I wonder if this would be worth trying to create a summary index for? Or if that'd even be faster? ... View more