Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Highlighted

Help Ungrouping Time Range on event search

briansarmiento
New Member
‎04-03-2020 07:21 AM

Hi everyone,

I have found this search for GlobalProtect on PaloAlto Networks App, The information showed its really usefull, the only problem I have it's. How do I show receive_time or time of the log on the Results.

| tstats summariesonly=t latest(log.event_id) AS latest_event, values(log.agent_message) AS log.agent_message, values(log.src_ip) AS log.src_ip count FROM datamodel="pan_firewall" WHERE nodename="log.system.globalprotect" """" groupby _time log.event_id log.user

when i erase the * time* field, this colum disappear, and if I try something like values(log.receivetime) it doesn't show any information.

I just want to show the time without a groupby cause this groups all the logs to 30 mins time all logs example; 10:00 am - 10:30 am.

0 Karma
Reply