Hello. I want to extract timestamp data using stats list() and display that data as part of a larger search, so I run it inside of a subsearch.
If I run the search as the main search, like this:
"Connected" | stats list(date_hour) as myHour | eval myTime=mvindex(myHour, 5) | eval myDiff=myTime - 2 | table myDiff
it works fine, and displays a number.
When I run it as part of a subsearch, like this:
("This" OR "That") AND NOT ("Other" OR "Those") | join connectionId [ search "Connected" | stats list(date_hour) as myHour | eval myTime=mvindex(myHour, 5) | eval myDiff=myTime - 2 | fields myDiff] | table myDiff
Nothing is displayed.
The outer search works fine by itself, and the inner search works fine by itself.
What am I doing wrong?
↧