Hi Splukers,
@niketnilay
I have table with 4 fields. I created the status with eval command with
index=XXX sourcetype=XXX
| search (PLSO=false AND PLSA=true) OR (PLSO=true AND PLSA=false)
| eval Status = if(PLSO=="false","ON","OFF")
| table _time Place Type Status
> _time Place Type Status> 2019-09-03 00:00:33 ABC 1 OFF> 2019-09-03 00:01:51 ABC 2 ON > 2019-09-03 02:34:21 ABC 3 OFF> 2019-09-03 02:43:06 ABC 1 ON> 2019-09-03 02:47:51 ABC 2 OFF> 2019-09-03 02:49:51 ABC 2 ON> 2019-09-03 03:00:51 ABC 3 ON> 2019-09-03 03:57:53 ABC 3 OFF> 2019-09-03 04:10:53 ABC 1 OFF
Now i need the result as
Place type1-On:time type1-Off Time type2 -On:time type2 Off Time type3 On:time type3 Off Time
ABC 02:43:06 04:10:53 00:01:51 02:47:51 03:00:51 03:57:53
↧