09 Aug 2023 02:27 PM - last edited on 10 Aug 2023 09:05 AM by MaciejNeumann
fetch dt.entity.host, from: now()-15m //1 [...] | lookup [ fetch events, from: now()-3h //2 ...] | lookup [ timeframe, //3 ...] [rest of the main host query]
Solved! Go to Solution.
09 Aug 2023 03:00 PM
Hi @PiotrG
I have just tried it out by executing following query:
fetch dt.entity.host, from:now() -15m
| fieldsAdd key = 1
| lookup [fetch events, from:now()-180m, to:now()-175m | fieldsAdd key=1 | sort timestamp asc | fields timestamp,key], sourceField:key, lookupField:key, prefix:"withTF."
| lookup [fetch events | fieldsAdd key=1 | sort timestamp asc | fields timestamp,key], sourceField:key, lookupField:key, prefix:"withoutTF."
| fields from= now()-15m, withTF.timestamp, withoutTF.timestamp
If you don't specify the TF in the lookup, then the TF is inherited from the original query.
Best,
Sini