Below query i am able to get the snap date. i need to capture correct date and timing.
index=vmware-inv sourcetype="vmware:inv:vm" host="*****"
| dedup moid sortby time
| spath changeSet.summary.runtime.powerState output=powerState
| spath changeSet.name output=name
| makemv delim=" " time
| eval time=mvindex(time,0)
| stats latest(powerState) as PowerState by moid,name,time
| search PowerState=PoweredOff
| sort time
Please share a sample event with private data hidden and identify the field(s) you wish to capture.
i am getting the out put like below but this is capturing the first snapshot time, but i need out put when it's poweredoff
vm-***** sevm-KMS-27 2013-04-17 poweredOff
vm-***** V11-2-L1Con6 2015-03-03 poweredOff
I see "poweredOff". Isn't that what you want? If not, please share the raw events and what you want from them.
Can someone help me on this !!!!