Hi
I have two sets of data, one is proxy logs (index=netproxy) and the other is an extract of LTE Logs which is logs every time the device joins. I'd like to cross reference the proxy logs with the LTE data so I can extract the IMEI number but the IMEI number could exist in logs outside of the search time window. The below search works but only if the timeframe is big enough that it includes the device in the proxy logs. Is there a way I can maybe extend the earliest time for 24 hours prior to the search time window? I don't want to do "all time" on the subsearch because the IP Address allocations will change over time and then be matched against the wrong IMEI.
index=netproxymobility sourcetype="zscalernss-web"
| fields transactionsize responsesize requestsize urlcategory serverip ClientIP hostname appname appclass urlclass
type=left ClientIP
[ search index=netlte
| dedup ClientIP
| fields ClientIP IMEI
]
thanks
... View more