Below is my search.
What I need is to have the time related to that error also saved(Timen) and then shown in the final result which has result of another subsearch.
When I run it, I am getting the value of only FIELDNAME1 and not Timen.
index!=_internal "error" " |eval Timen=strftime(_time,"%m/%d/%y %T")| accum Timen| rex "(?i)text>(?P[^<]+)" | dedup FIELDNAME | map search="search index!=_internal $FIELDNAME$" | search "error1 " |rex "(?i)text1=(?P[^]]+)" | rex "(?i)text2=(?P[^]]+)" | eval Time=strftime(_time,"%m/%d/%y %T")| table FIELDNAME1 Time Timen
↧