I am having issue finding a way to standardize email for a query that will make the output "First Last" to a new field.  there are mainly two email types in "first.x.last@domain.com" or "first.last@domain.com" The first works for "first.x.last@domain.com":  | makeresults | eval name="first.x.last@domain.com" | rex field=name "^(?<Name>[^@]+)" | eval tmp=split(Name,".") | eval tmp2=split(Name,".") | eval FullName=mvindex(tmp,0) | eval FName=mvindex(tmp2,2) | table FullName FName | eval newName=mvappend(FullName,FName) | eval FN=mvjoin(newName, " ") | table FN  And this for "first.last@domain.com" | makeresults | eval name="first.last@domain.com" | rex field=name "^(?<Name>[^@]+)" | eval tmp=split(Name,".") | eval FullName=mvindex(tmp,0,1) | eval FN=mvjoin(FullName, " ") | table FN Any recommendations of how to accomplish getting an output of "First Last" to one field for both email types?  ... View more

I am using the following query to show the duration of a accounts logon and logoff. The results come back in epoch time, and if I make changes to time using eval strftime, it negates the duration. Index=indexhere EventCode=4624 OR EventCode=4634 AccountName="*" | stats earliest(eval(if(EventCode=4624, _time, null()))) as Logon latesteval(eval(if(EventCode=4634, _time, null()))) as Logoff by AccountName | eval duration=Logoff-Logon If I add Index=indexhere EventCode=4624 OR EventCode=4634 AccountName="*" | eval time=strftime(_time,"%x %r") | stats earliest(eval(if(EventCode=4624, time, null()))) as Logon latesteval(eval(if(EventCode=4634, time, null()))) as Logoff by AccountName | eval duration=Logoff-Logon it converts the Logon and Logoff , but the duration field comes up blank. I am assuming its due to duration not being able to compute the modified time format. ... View more