Hello,
I'm trying to get a form search to work where based on "group" I want an "eval" field called total_bytes to show up in a data table on my dashboard view. My search below works correctly from the search bar, but when I add as a form to a custom view, my result set does not show total_bytes.
Can someone help me to determine what's wrong?
Here's the search that works:
index=nc3sec sourcetype=syslog jav20023: | eval total_bytes = sent + rcvd | stats sum(total_bytes) by group
Here's my xml for the form:
I am not sure if this solve your problem. Could you try following search?
"sourcetype=syslog jav20023: | eval total_bytes = sent + rcvd | stats sum(total_bytes) AS total by group | table total group "
Your field "total_bytes" seems not appear just in your row table view. So, I think using table command will help this.