Hi I am trying to search for two event types each in different time range. Here i am using time token. The eventtypes are "Password Change" and "Login". When i apply search for last 4 hrs, my query should search "password change" event for last 4 hrs and "login" event for last 8hrs. Similarly when i change the time filter my query should change accordingly.
index=new (EventType="Password Change" earliest=$token.earliest$ latest=$token.earliest$) OR (EventType="Login" earliest=$token.earliest$-4h latest=$token.earliest$) | remaining query
Anyone can help me in this?
↧
