 
					
				
		
Below query i am able to get the snap date. i need to capture correct date and timing.
index=vmware-inv sourcetype="vmware:inv:vm" host="*****" 
| dedup moid sortby time 
| spath changeSet.summary.runtime.powerState output=powerState 
| spath changeSet.name output=name 
| makemv delim=" " time 
| eval time=mvindex(time,0) 
| stats latest(powerState) as PowerState by moid,name,time
| search PowerState=PoweredOff 
| sort time
 
					
				
		
 
		
		
		
		
		
	
			
		
		
			
					
		Please share a sample event with private data hidden and identify the field(s) you wish to capture.
 
					
				
		
i am getting the out put like below but this is capturing the first snapshot time, but i need out put when it's poweredoff 
vm-*****    sevm-KMS-27 2013-04-17  poweredOff
vm-*****    V11-2-L1Con6    2015-03-03  poweredOff
 
					
				
		
 
		
		
		
		
		
	
			
		
		
			
					
		I see "poweredOff". Isn't that what you want? If not, please share the raw events and what you want from them.
 
					
				
		
Can someone help me on this !!!!
