want to report a pattern for each day and grab event times from different logs for that pattern , tried something like this but not working as expected , need suggestions.   Current Query index="blah" source="*blah*" "Incomming" | rex "Incomming: (?<s_json>.*])" | timechart span=1d earliest(_time) as a_time by s_json | join type=outer s_json [ search index="blah" source="*blah*" "Internal" | rex "Internal: (?<s_json>.*])" | timechart span=1d latest(_time) as c_time by s_json ] | convert ctime(a_time) | convert ctime(c_time) | table _time,s_json,a_time,c_time   Expected - Date1 , j1 , a_time,c_time Date1,j2,a_time,c_time Date2,j3,a_time,c_time Date3,j4,a_time,c_time Date4,j1,a_time,c_time Date4,j2,a_time,_ctime   Each day can have its own unique patterns ( j1,j2,j3,j4 ... ) , so need to dyamicallly pick that for that day and report a_time and c_time

Hi, First question here - apologies if it's obvious or basic! I am trying to parse a nested list and find specific policies that match a couple of criteria. But I can't seem to get the logic right.  If you look at the JSON below, there is a nested list of "policies". I just want to find the policies with a result of "false" and with a filename starting with "./hard" and I want to print the "print" messages in a table. The JSON output is here:   { "resource": { "action": "hard_failed", "meta": { "result": false, "passed": 1, "total_failed": 2, "hard_failed": 1, "soft_failed": 0, "advisory_failed": 1, "duration_ms": 0, "sentinel": { "schema_version": 1, "data": { "sentinel-policy-networking": { "can_override": false, "error": null, "policies": [ { "allowed_failure": true, "error": null, "policy": "sentinel-policy-networking/advisory-mandatory-tags", "result": false, "trace": { "description": "This policy uses the Sentinel tfplan/v2 import to require that\nspecified AWS resources have all mandatory tags", "error": null, "print": "aws_customer_gateway.customer_gateway has tags that is missing, null, or is not a map or a list. It should have had these items: [Name]\naws_vpn_connection.main has tags that is missing, null, or is not a map or a list. It should have had these items: [Name]\n", "result": false, "rules": { "main": { "desc": "Main rule", "ident": "main", "position": { "filename": "./advisory-mandatory-tags.sentinel", "offset": 1244, "line": 38, "column": 1 }, "value": false } } } }, { "allowed_failure": false, "error": null, "policy": "sentinel-policy-networking/soft-mandatory-vpn", "result": false, "trace": { "description": "This policy uses the Sentinel tfplan/v2 import to require that\nAWS VPNs only used allowed DH groups", "error": null, "print": "aws_vpn_connection.main has tunnel1_phase1_dh_group_numbers [2] with items [2] that are not in the allowed list: [19, 20, 21]\n", "result": false, "rules": { "main": { "desc": "Main rule", "ident": "main", "position": { "filename": "./soft-mandatory-vpn.sentinel", "offset": 740, "line": 23, "column": 1 }, "value": false } } } }, { "allowed_failure": false, "error": null, "policy": "sentinel-policy-networking/hard-mandatory-policy", "result": true, "trace": { "description": "This policy uses the Sentinel tfplan/v2 import to validate that no security group\nrules have the CIDR \"0.0.0.0/0\" for ingress rules. It covers both the\naws_security_group and the aws_security_group_rule resources which can both\ndefine rules.", "error": null, "print": "", "result": true, "rules": { "main": { "desc": "", "ident": "main", "position": { "filename": "./hard-mandatory-policy.sentinel", "offset": 2136, "line": 58, "column": 1 }, "value": true } } } } ], "result": false } } }, "comment": null, "run": { "id": "run-5bY1pzrxAHWMH8Qx", "message": "Update main.tf" }, "workspace": { "id": "ws-LvRrPmVrm4MSnDC9", "name": "aws-networking-sentinel-policed" } }, "type": "policy_check", "id": "polchk-i8KAHhKX7Dqb7T3A" }, "request": { "id": null }, "auth": { "impersonator_id": null, "type": "Client", "accessor_id": "user-pF6Tu2NVN7hgNa7E", "description": "gh-webhooks-nicovibert-org-yuYK0J4bQO", "organization_id": "org-b5PqUHqMpyQ2M86A" }, "timestamp": "2021-11-26T22:08:52.000Z", "version": "0", "type": "Resource", "id": "9890fc46-f913-48d9-b2f7-64f8fc1c4d0e" }   This search below isn't quite working for me. There must be an easier way to do - perhaps with spath ? - but I can't get it to work. sourcetype="terraform_cloud" AND resource.meta.sentinel.data.sentinel-policy-networking.policies{}.trace.rules.main.position.filename = "./hard*" AND resource.meta.sentinel.data.sentinel-policy-networking.policies{}.trace.rules.main.value="false" | table auth.description, resource.meta.hard_failed, resource.meta.sentinel.data.sentinel*.policies*.trace.print   Thanks in advance for any pointers, examples or hints.

Team - looking for ideas how to achieve the below scenario Query 1 - get list of unique patterns for each day Query 2 - for the list of above patterns get earliest occurence for each day Query 3 - for the list of above patterns get latest occurence for each day Report - Day , Pattern , earliest time , latest time Note - Query 1, 2,3 are all different search queries , as they all are in different log lines

Is it possible to do a search that returns the last 4 full hours? Meaning, if it is 5:13 PM it would return results between 1:00 PM and 5:00 PM (filters out off the current hour) Thanks in advance for any responses

I have a query that returns multiple times and I need to step through this result doing a subtraction count between one and the other. Example: Time = time[0] - time[1] Time = time[1] - time[2] etc .... My search looks like this:   <my search> | eval Time=_time | stats values(Time) as Time by UserName| eval reconnection=if(UserName == UserName, tonumber(mvindex(Time,1))-tonumber(mvindex(Time,0)), "falha") | where reconnection>0 AND reconnection<600 | eval reconnection=tostring(reconnection, "duration")

Hi  I've noticed that controller verison 21.11.1-778 has introduced a new create users method, previously on older controller versions, it was possible to enter username, email, name and password for a new user, now this has been changed to only name and e-mail. I'm very curious to why this has been implemented? It makes sense that newly created users now receive an e-mail where they can enter their own desired password, but the fact that the e-mail address now functions as their username .. Well that's really a pain.. Is there any way to change this back? I administer a fairly large amount of AppDynamics users where everyone has their initials as current username and I really dislike this new enforced "email as username" idea that has been implemented..