So, I have this search on events that cover from the 28th of February to the 6th of March, 2018:
Some basic search
| eval customer_id = substr(host,2,5)
| eval session_duration = stop_time - start_time
| eval start_date = strftime(start_time,"%d/%m/%y %H:%M:%S")
| convert rmunit(session_duration) as numSecs
| eval stringSecs=tostring(numSecs,"duration")
| table customer_id, start_date, task_id, host_ip, from_user, stringSecs
| sort by start_time d
| rename customer_id as "Customer ID", start_date as "Session Start", task_id as "Task id", host_ip as "Accessed Host", from_user as "User ID", stringSecs as "Session Duration"
Which is creating the perfect "starting" table I want, with the more recent data at the top, up until I click on the table header to modify the date.
Ascending: (expecting 28/02/18)
Descending: (expecting 06/03/18)
From what I understand, even if I specified the European time format in the search, the interactive table sorting is based on alphanumerical order.
One quick fix would be to use the ISO format (YYYY-MM-DD) (for which I am opting right now), but what if the end user want absolutely to have dd/mm/yy and be able to click on the header to change the order?
Is there an option to change this behavior?
Thanks in advance.
... View more