I'm trying to write a query that search for a users ID, shows what buildings they have accessed and who else has accessed the building in the last 60 minutes. I've got the first two parts working but I'm struggling to implement the time portion of the query. I've scoured the doco, tried evals and transactions but I'm missing something and just can't narrow my search down any further. It just keeps returning all the results in the time range I specified (24hrs).
index=security sourcetype="sec:doorlogs"
[search Who="Person A" AND Status="Success" | fields Status Location _time ]
| table Location Status Who _time
| sort -_time
This produces the following;
Location Status Who _time
Building A Success Person 6 2020-03-19T17:30:42.000+1000
Building A Success Person 5 2020-03-19T15:57:01.000+1000
Building A Success Person 4 2020-03-19T15:38:09.000+1000
Building A Success Person 3 2020-03-19T13:49:59.000+1000
Building B Success Person 2 2020-03-19T12:48:22.000+1000
Building A Success Person A 2020-03-19T12:50:08.000+1000**
Building B Success Person 2 2020-03-19T12:38:45.000+1000
Building A Success Person 7 2020-03-19T12:36:57.000+1000
Building B Success Person 8 2020-03-19T11:50:56.000+1000
Building B Success Person A 2020-03-19T11:39:05.000+1000**
Building A Success Person 9 2020-03-19T10:39:02.000+1000
Building A Success Person 10 2020-03-19T09:30:55.000+1000
Building A Success Person 1 2020-03-19T08:38:35.000+1000
I'm trying to achieve;
Location Status Who _time
Building A Success Person 3 2020-03-19T13:49:59.000+1000
Building A Success Person A 2020-03-19T12:50:08.000+1000**
Building A Success Person 7 2020-03-19T12:36:57.000+1000
Building B Success Person 8 2020-03-19T11:50:56.000+1000
Building B Success Person A 2020-03-19T11:39:05.000+1000**
... View more