https://community.splunk.com/t5/Splunk-Search/Return-Timestamp-from-inner-and-outter-search/m-p/457545#M129234 <P>Sorry, I read it wrong. Can you try this? tweak the time format according to your need. Hope this should help now?</P> <PRE><CODE>index=wineventlog EventCode=4624 OR EventCode=4625 | eval failed_time=if(EventCode=4625,strftime(_time,"%Y-%m-%dT%H:%M:%S"),"") |eval Success_time=if(EventCode=4624,strftime(_time,"%Y-%m-%dT%H:%M:%S"),"") | stats list(EventCode) as EventCode range(_time) AS duration values(failed_time) as failed_time values(Success_time) as Success_time BY ComputerName | rex field=duration mode=sed "s/\..*$//" | where duration &lt;600 </CODE></PRE> Wed, 21 Aug 2019 02:58:41 GMT nareshinsvu 2019-08-21T02:58:41Z https://community.splunk.com/t5/Splunk-Search/Return-Timestamp-from-inner-and-outter-search/m-p/457542#M129231 <P>Hi,<BR /> I am trying to create a search that finds two sequential events. So far I have:</P> <BLOCKQUOTE> <P>index=wineventlog EventCode=4624 [ search index=wineventlog EventCode=4625 | eval earliest=_time | eval latest=_time+600 | fields earliest latest ComputerName ]</P> </BLOCKQUOTE> <P>This works and returns successful windows logins that follow a failed login within a 10min period. What I want to do though is return a table that shows the time that the first event occurred and the time that the second triggering event occurred. I tried appending:</P> <BLOCKQUOTE> <P>| table ComputerName earliest _time</P> </BLOCKQUOTE> <P>But the earliest field comes back blank when I want that to be showing the time stamp fo the event that matched the subsearch.</P> <P>Any help would be appreciated. Thanks.</P> Wed, 30 Sep 2020 01:50:26 GMT https://community.splunk.com/t5/Splunk-Search/Return-Timestamp-from-inner-and-outter-search/m-p/457542#M129231 shayvdee 2020-09-30T01:50:26Z https://community.splunk.com/t5/Splunk-Search/Return-Timestamp-from-inner-and-outter-search/m-p/457543#M129232 <P>Are you trying to match anything from your sub-search? if not, can you try this?</P> <PRE><CODE>index=wineventlog earliest="-10m@m" latest="now" EventCode=4624 OR EventCode=4625 | fields _time EventCode ComputerName </CODE></PRE> Wed, 21 Aug 2019 00:59:05 GMT https://community.splunk.com/t5/Splunk-Search/Return-Timestamp-from-inner-and-outter-search/m-p/457543#M129232 nareshinsvu 2019-08-21T00:59:05Z https://community.splunk.com/t5/Splunk-Search/Return-Timestamp-from-inner-and-outter-search/m-p/457544#M129233 <P>Hi @nareshinsvu</P> <P>Thanks for your answer.</P> <P>I need to match the ComputerName from the subsearch and then use the time from the subsearch to find other events in the same time period.</P> <P>In the example, I want to find all successful logins over the last week that occur within 10min of a failed login on the same computer.</P> <P>Thanks.</P> Wed, 21 Aug 2019 01:29:36 GMT https://community.splunk.com/t5/Splunk-Search/Return-Timestamp-from-inner-and-outter-search/m-p/457544#M129233 shayvdee 2019-08-21T01:29:36Z https://community.splunk.com/t5/Splunk-Search/Return-Timestamp-from-inner-and-outter-search/m-p/457545#M129234 <P>Sorry, I read it wrong. Can you try this? tweak the time format according to your need. Hope this should help now?</P> <PRE><CODE>index=wineventlog EventCode=4624 OR EventCode=4625 | eval failed_time=if(EventCode=4625,strftime(_time,"%Y-%m-%dT%H:%M:%S"),"") |eval Success_time=if(EventCode=4624,strftime(_time,"%Y-%m-%dT%H:%M:%S"),"") | stats list(EventCode) as EventCode range(_time) AS duration values(failed_time) as failed_time values(Success_time) as Success_time BY ComputerName | rex field=duration mode=sed "s/\..*$//" | where duration &lt;600 </CODE></PRE> Wed, 21 Aug 2019 02:58:41 GMT https://community.splunk.com/t5/Splunk-Search/Return-Timestamp-from-inner-and-outter-search/m-p/457545#M129234 nareshinsvu 2019-08-21T02:58:41Z https://community.splunk.com/t5/Splunk-Search/Return-Timestamp-from-inner-and-outter-search/m-p/457546#M129235 <P>Thanks. Not quite working yet, but I think you have pointed me down the right track.</P> <P>Thanks.</P> Wed, 21 Aug 2019 03:16:31 GMT https://community.splunk.com/t5/Splunk-Search/Return-Timestamp-from-inner-and-outter-search/m-p/457546#M129235 shayvdee 2019-08-21T03:16:31Z