I'm trying to select a specific custom time range within a search after selecting a larger time range with the time picker and narrowing down the results using eventstats, what would be the way to do this exactly. My query looks like this
index=bhs sourcetype=BHS_LBT_BAG |addinfo| eventstats earliest(_time) as FirstAppearance by BAGTAGID | where FirstAppearance=_time
In this case the second time range I want to narrow it down to is the earliest being 5AM the previous day up to 5AM the current day.
↧