I am trying to select the earliest record and then pipe that into the map function to perform an addition search using that information.
So far I am trying the following:
index="proxy_logs" "Malicious Outbound Data/Botnets" OR "Malicious Sources/Malnets" earliest=-1d | stats earliest(_time) as first_event by cs_host | eval nice_time = strftime(first_event,"%F %T")| eval check_from = relative_time(first_event, "-d") | eval check_from = strftime(check_from,"%F %T")
| map maxsearches=42 search="search earliest=$check_from$ latest=$nice_time$ index=proxy_logs filter_result!=DENIED cs_host=$cs_host$" | eval acesstimes = strftime(_time,"%F %T") | transaction cs_host | dedup cs_uri_path | table cs_host, cs_uri_path, cs_uri_query, acesstimes, cs_username | join cs_host
[search index="proxy_logs" "Malicious Outbound Data/Botnets" OR "Malicious Sources/Malnets" cs_host!="" earliest=-1d |eval blocktime = strftime(_time,"%F %T") | stats earliest(_time) as blocktime by cs_host | fields cs_host, blocktime ]
This returns no results however if I break the search up it does return results for the dataset that I am testing.
... View more