Hey all,
I am working on a dashboard to do a basic email search through Proofpoint logs and am using the transaction command to stitch together the events with the same message_session_id.
The query currently looks like this: index=proofpoint | transaction message_session_id | search from=$from$ to=$to$ rule=$rule$ subject=$subject$ | table from to subject file_name rule
My question is how would I table the time of the first event as a time column?
If I just run: index=proofpoint | transaction message_session_id it appears that it is just grabbing that first events timestamp and using that as the time.
Thanks!
Andrew
↧