Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Help Ungrouping Time Range on event search

briansarmiento
Explorer
‎04-03-2020 07:21 AM

Hi everyone,

I have found this search for GlobalProtect on PaloAlto Networks App, The information showed its really usefull, the only problem I have it's. How do I show receive_time or time of the log on the Results.

| tstats summariesonly=t latest(log.event_id) AS latest_event, values(log.agent_message) AS log.agent_message, values(log.src_ip) AS log.src_ip count FROM datamodel="pan_firewall" WHERE nodename="log.system.globalprotect" """" groupby _time log.event_id log.user

when i erase the * _time* field, this colum disappear, and if I try something like values(log.receive_time) it doesn't show any information.

I just want to show the time without a groupby cause this groups all the logs to 30 mins time all logs example; 10:00 am - 10:30 am.

0 Karma
Reply
Did you miss .conf21 Virtual?

Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE!

Get Updates on the Splunk Community!