Hello,  I have a search running that shows the custom "Sign-on_Time" field in a table. I want to format it to a more readable format.  Here is my search: index="foo" host="bar" sourcetype="foobar" OR sourcetype="barfoo" | rex "Session_ID\": \"(?<Session_ID>\w+)\"" | stats values(System_Account) as System_Account values(Authentication_Type) as Authentication_Type values(Sign-on_Time) as Sign-on_Time values(Is_Admin) as Is_Admin count(eval(like(Authentication_Type,"Proxy Started"))) as SA_count values(Task) as Task by Session_ID | where SA_count > 0 | where Is_Admin = 1 | table System_Account Authentication_Type Sign-on_Time Session_ID Is_Admin Task The time comes out like this: Is there a way for me to format it to like (HH MM SS, MM-DD-YY)? In my Sign-on_Time field, I tried doing this: eval signOnTime=strftime(Sign-on_Time,"%a %B %d %Y %H:%M:%S")  and then I tried outputting that in my table and it doesn't show up. What am I doing wrong? ... View more

Hello,  I have a sourcetype called "signons" and it has a field called "Session_ID" and "System_Account" In my search, I am looking for any proxy sessions and want to display those proxy sessions with the same "Session_ID" in the sourcetype called "user_activity". To check if a session is a proxy session, the "System_Account" field has the words "on behalf of". Here is my search so far:      index="foo" host="bar" sourcetype="signons" System_Account="*on behalf of*"     One example of an event that returns:     "System_Account": "12345 / Aaron Cherian on behalf of 67890 / John Doe", "Authentication_Type": "Proxy Started", "Session_ID": "4743ha", "Is_Admin": "1", "Elapsed_Time_Minutes": "1029"     I want to take this Session_ID (There are multiple different Session_ID's because there are many proxy sessions that are being run during the day) and search for the events in a different sourcetype called "user_activity" (This basically checks the user activity for that specific Session_ID.  Here is my search for that:     index="foo" host="bar" sourcetype="user_activity" 4743ha     This is just displaying the events for that specific Session_ID. Is there a way to search for all Session_ID's that have the words "on behalf of" in the "System_Account" field in the "user_activity" sourcetype and display the events? Basically I want to combine these two searches for all proxy Session_ID's Thanks! EDIT: I have posted the same post accidentally under a different category. I am unsure to how to delete it. I apologize for the double post.   ... View more

Hello,  I have a sourcetype called "signons" and it has a field called "Session_ID" and "System_Account" In my search, I am looking for any proxy sessions and want to display those proxy sessions with the same "Session_ID" in the sourcetype called "user_activity". To check if a session is a proxy session, the "System_Account" field has the words "on behalf of". Here is my search so far:    index="foo" host="bar" sourcetype="signons" System_Account="*on behalf of*"   One example of an event that returns:   "System_Account": "12345 / Aaron Cherian on behalf of 67890 / John Doe", "Authentication_Type": "Proxy Started", "Session_ID": "4743ha", "Is_Admin": "1", "Elapsed_Time_Minutes": "1029"   I want to take this Session_ID (There are multiple different Session_ID's because there are many proxy sessions that are being run during the day) and search for the events in a different sourcetype called "user_activity" (This basically checks the user activity for that specific Session_ID.  Here is my search for that:   index="foo" host="bar" sourcetype="user_activity" 4743ha   This is just displaying the events for that specific Session_ID. Is there a way to search for all Session_ID's that have the words "on behalf of" in the "System_Account" field in the "user_activity" sourcetype and display the events? Basically I want to combine these two searches for all proxy Session_ID's Thanks!   ... View more

I am trying to create a table something like this that will fetch the data for all the events for the past 7 days. I want this to be ran any time and it would update the dates dynamically at the top. I want it to look something like this: Host Sourcetype 6/1 6/2 6/3 6/4 6/5 6/6 6/7 " " " " Count Count Count Count Count Count count   Here is my search so far: index=" " | bucket span=1d _time | eval dayOfDate=strftime(_time,"%Y/%m/%d") | stats count by host, sourcetype, dayOfDate | table host sourcetype dayOfDate count | rename count as "Number of events"   The dates show vertically and I wanted it to show up as column headers for the last 7 days that updates dynamically whenever I run this search. ... View more