Hi,
I thought this would be easy but no!
I'm doing the query below on the Sample data below but the FileTime_END value I'm getting is 15:29:00 for every line (don't have enough points to attach images or post links sorry).
What am I doing wrong? Also is there a better way to do this without a JOIN?
Cheers guys.
index="file-times" State=Start | table Service FileTime State | rename Service as Service_Start FileTime as Filetime_Start, State as State_Start
| join Service type=outer [search index="file-times" State=END | table FileTime State | rename FileTime as Filetime_End, State as State_End]
Sample Log/Index Data:
23/07/2019 09:34:00, Service=RR, FileTime=9:33:45, State=START
23/07/2019 10:31:00, Service=RR, FileTime=10:30:45, State=END
23/07/2019 11:01:00, Service=HHR, FileTime=11:00:32, State=START
23/07/2019 11:31:00, Service=HHR, FileTime=11:30:32, State=END
23/07/2019 12:01:00, Service=LPE, FileTime=12:00:32, State=START
23/07/2019 12:55:00, Service=LPE, FileTime=12:54:32, State=END
23/07/2019 12:01:00, Service=SMURF, FileTime=12:00:32, State=START
23/07/2019 13:01:00, Service=SMURF, FileTime=13:00:00, State=END
23/07/2019 14:00:00, Service=TEST, FileTime=14:05:00, State=START
23/07/2019 14:30:00, Service=TEST, FileTime=14:29:00, State=END
23/07/2019 15:00:00, Service=TEST1, FileTime=15:05:00, State=START
23/07/2019 15:30:00, Service=TEST1, FileTime=15:29:00, State=END
... View more