Sorry, I tried to be a little more clear up an image, but requires more "Karma".
What happens is that I make a transaction ( SEARCH ... | transaction maxspan=24h Username IP), but I _raw bundles more than you'd like, staying well:
>_raw 1
Sep 20 00:37:19 192.168.10.30: Username = jrodiguez, IP = 190.43.138.114, Session Open; Sep 20 00:57:26 Username = jrodiguez, IP = 190.43.138.114, Session disconnected
Sep 20 03:22:31 192.168.10.30: Username = jrodiguez, IP = 190.43.138.114, Session Open; Sep 20 03:34:16 Username = jrodiguez, IP = 190.43.138.114, Session disconnected
Sep 20 08:15:42 192.168.10.30: Username = jrodiguez, IP = 190.43.138.114, Session Open; Sep 20 09:21:54 Username = jrodiguez, IP = 190.43.138.114, Session disconnected
And would separate the _raw to look like this:
>_raw 1
Sep 20 00:37:19 192.168.10.30: Username = jrodiguez, IP = 190.43.138.114, Session Open; Sep 20 00:57:26 Username = jrodiguez, IP = 190.43.138.114, Session disconnected
>_raw 2
Sep 20 03:22:31 192.168.10.30: Username = jrodiguez, IP = 190.43.138.114, Session Open; Sep 20 03:34:16 Username = jrodiguez, IP = 190.43.138.114, Session disconnected
>_raw 3
Sep 20 08:15:42 192.168.10.30: Username = jrodiguez, IP = 190.43.138.114, Session Open; Sep 20 09:21:54 Username = jrodiguez, IP = 190.43.138.114, Session disconnected
I tried to do with this: SEARCH ... | transaction maxspan=24h Username IP | eval _raw=split(_raw,"disconnected") , but it did not work
... View more