index=log-3155-prod* eventtype=fwdldap-all-prod-hosts sourcetype="ldap-infra:access" laas_appId="ldap-infra/prod/ldap_FWD_PROD"
| eval timeFromBIND=if(match(_raw,".BIND."),_time,NULL)
| eventstats first(timeFromBIND) as timeFromBIND by conn
| eval diff=_time-timeFromBIND
| rex field=_raw "from (?.) to (?.)"
| stats first(_time) as connTime first(timeFromBIND) as timeFromBIND first(diff) as diff by source destination conn
| fields - diff - conn - timeFromBIND | rename connTime to connTime_in_sec | sort - connTime_in_sec
--------the source-destination is fine with this command, but doesn't give the time I need plus the format is weird.. ..any idea?
... View more