May seem trivial but it is alluding me! What would I add in the search to extract the time of the event?
host=server sourcetype=iis NOT #Software NOT #Fields NOT /favicon.ico (method=GET OR method=POST) NOT eventtype="web-imagefile" | stats count by src_ip,user,uri_stem
Thanks!
What do you want to do with _time?
Try
stats count by src_ip,user,uri_stem,_time