I'm currently trying to get the duration of some events, but when i use this search nothing is coming back:
`| tstats count earliest(_time) AS first latest(_time) as last FROM datamodel=Vulnerabilities where (nodename="Vulnerabilities" Vulnerabilities.severity!="informational") by Vulnerabilities.signature
| eval first_time=strftime(first,"%Y-%m-%d %H:%M:%S") , last_time=strftime(last,"%Y-%m-%d %H:%M:%S")
| fields - first,last
|eval duration=last_time-first_time`
The strftime command converts the unix time, but im not able to get the difference
↧