I am trying to correlate 2 sets of data together via join search statement, however I need to do a join based on 2 main variables ("vpnIp ON Address" AND " ts ON event_timestamp") on both sets of data.
An example would be the following:
I would like to join data from the following raw line:
Right now we have the current join above working with the "vpnIP ON Address" portion of the join.
I would like to join based on both the vpnIp (i.e. 220.127.116.119) and the time of the event generated (ts ON event_timestamp). In the example above, the timestamp shown if off by a few seconds.
What would be the best way to overcome what appears to be to be a minor obstacle? Not sure how to match the times up correctly when the timestamp between the 2 events are off by a few seconds.