Im attempting to show when a file was received and when it was sent out. The code below generates the table below that..
index=syslog (source=“Outbound.log" OR source="Inbound.log")
|stats values(User) as user, earliest(_time) as received, latest(_time) as sent by externalId
|eval oc_received = strftime(received, "%F %T")
|eval oc_sent = strftime(sent, "%F %T")
|eval oc_time = round((sent - received)/3600,2)
|fields user, externalId, oc_received, oc_sent, oc_time
|sort - oc_time
example_user | example_id | 2019-12-24 05:32:22 | 2019-12-24 05:32:22 | 0.50
But won’t output a result when it just received the file but did not send it yet.
Is there a way I could have these show as blank or NULL in the table?
And if it is empty how would I generate the time difference as between now and when it was sent
Thanks!
... View more