| eval expiry_readable = strftime(expiry, "%d/%m/%Y %H:%M:%S") I was misunderstanding because of this query. Updated the answer. Strftime is a command to change UNIX time to a character string. ... View more

| search file_action=Uploaded No1 query selects file_action. Through no result, I think. This is my recommend query: sourcetype=cerberus-ftp host=SERVER (src_ip=$tokenA$ OR user=$tokenB$ OR (file=$tokenC$ AND file_action=$tokenD$)) | eval file_action=case(match(file_action,"stored"),"Uploaded",match(file_action,"sent"),"Downloaded",match(file_action,"deleted"),"Deleted") | eval file_action = file.":".file_action | stats first(_time) as _time list(file_action) as file_action by connection_id | stats values(_time) as _time by file_action | eval file=mvindex(split(file_action,":"),0) | eval file_action=mvindex((split(file_action,":"),1) | table _time, file, file_action ... View more