I'm trying to figure out a search that will parse through all events from a specific sourcetype.
For each unique value from a field (for example users=example), I want to calculate and display in a new column the time difference between the oldest and the newest event (field name is _time).
Here is what I've been trying to do and doesn't work.
user=* action=failure |foreach user [eval dif=max(_time)-min(_time)] | table user , dif , src
... View more