I have 2 searches:
1. Search(AAA)|rename _time as TimeA|table TimeA host;
2. Search(BBB)|rename _time as TimeB|table TimeB host
How to create a new search:
Search(???)|table host; (or Search(???)|table TimeA TimeB host)
Which will only list the hosts that TimeB is older(or smaller) than TimeA
(there might be more than 1 results TimeA and TimeB for each host, in that case, just pick the latest one to compare)
↧