I've got some logs where a certain field ('randomletter') is normally X, but occasionally changes to Y (or even Z!)
I would like to get a list of all the instances, and for how long it was reported as not being X.
I was hoping I could just use the transaction command to give me a list with the new field 'duration'.
search | transaction randomletter | search NOT randomletter="X"
This of course doesn't give me what I want though... it groups huge swathes of events together, consecutive or not. Talking about 'consecutive', the 'connected' parameter gave me a glimmer of hope but that doesn't do it..
In the end, I'm looking for a list of times based on consecutive events where 'randomletter' did not change, as well as a duration of that 'not-changingness'.
Anyway, hopefully a simple question, someone must have done it before! Anyone any ideas? 🙂