Hi,
I am trying to join information returned by an index, with different filters, to each other and I am unable to get correct information and need help in sorting it out.
So, I have an index that contains some events such as login, logoff, logonReject, InformationFlow etc. There is no particular sequence in which these events happen, i.e. a logged in user can login again without logging off.
Now I want to join these events in such a way that they appear as following in the same row for a particular user:
Time of InformationFlow, Time of Logoff, Time of Logon, Time of Logon Reject.
I want only the first logofff, logon, logonReject event after every InformationFlow event.
My query looks something like below:
*
index="xyZ" source=events.log ("Event=InformationFlow") | table UserId, EventTime as InformationFlowTime
| join UserId type=left usetime=true earlier=false max=0 [search index="xyZ" source=events.log ("Event=Logoff") | table UserId, EventTime as LogoffTime]
| join UserId type=left usetime=true earlier=false max=0 [search index="xyZ" source=events.log ("Event=Logon") | table UserId, EventTime as LogonTime]
| join UserId type=left usetime=true earlier=false max=0 [search index="xyZ" source=events.log ("Event=LogonReject") | table UserId, EventTime as LogonReject]
| table UserId, InformationFlowTime, LogoffTime, LogonTime, LogonReject
*
Now the problem is, the query above gives me all possible combinations of InformationFlowTime with LogonTime, LogoffTime etc whereas I want only the first LogonTime, LogoffTime, LogonRejects after each InformationFlow type of event.
if I remove max=0 from the query, it just gives me the most recent LogonTime, LogoffTime etc because I am using earlier=false in the join.
Can someone help tell me how I can join the data in the right order that they appear? I am running out of ideas here.
Thanks,
TG
... View more