That should be pretty straightforward: make a stats
with latest
of whichever field you want to see the most recent of, in your case _time to get the timestamp. You end up with something this:
to="<*@allianz.co.uk>" | stats latest(_time) as time by user
If you want to display the timestamp in human readable format, use the following eval
to="<*@allianz.co.uk>" | stats latest(_time) as time by user | eval t=strftime(time, "%D - %H:%M:%S")
index=_internal *INFO* "sendemail:354"| stats latest(_time) as time by recipients | eval t=strftime(time, "%D - %H:%M:%S")
That should be pretty straightforward: make a stats
with latest
of whichever field you want to see the most recent of, in your case _time to get the timestamp. You end up with something this:
to="<*@allianz.co.uk>" | stats latest(_time) as time by user
If you want to display the timestamp in human readable format, use the following eval
to="<*@allianz.co.uk>" | stats latest(_time) as time by user | eval t=strftime(time, "%D - %H:%M:%S")
WHOA! That was quick! 😉
I just had to change
as time by user
to
as time by to
and that´s it!
Thank you so much!
Mike
Did u able to view the results of email address by time, with the above query i posted ?
index=_internal INFO "sendemail:354"| stats values(_time) as time by recipients | eval t=strftime(time, "%D - %H:%M:%S")
OR
index=_internal INFO "sendemail:354"| eval t=strftime(_time, "%D - %H:%M:%S")|stats values(recipients) as Receipients by t
the above gets u address by time - for any specified time-range