I am doing a CTF that provides logs to filter and work through, one of the questions asks for the time period between when the brute force attack was carried out and the last requests that was sent
To find the first timestamp I used
``` index=botsv1 imreallynotbatman.com source="stream:http" form_data=*username*passwd* | regex "passwd=batman"| table _time | sort by _time | head 1```
similar to that I used
```
index=botsv1 imreallynotbatman.com source="stream:http" form_data=*username*passwd* | regex "passwd=batman"| table _time | sort by _time | tail 1```
each search query works fine by itself but when used together they don't, also when trying to use ``` eval start_time = index=botsv1 imreallynotbatman.com source="stream:http" form_data=*username*passwd* | regex "passwd=batman"| table _time | sort by _time | head 1``` throws and error
Error """ : Comparator '=' has an invalid term on the left hand side: start_time=index."""
how do I chose the first and last datetime form the table created without using two queries
index=botsv1 imreallynotbatman.com source="stream:http" form_data=*username*passwd* | regex "passwd=batman"
| stats earliest(_time) as start latest(_time) as end