index=* sourcetype=* host=* | search Event=176 | top limit=20 User| table Location, Event, User, Address, Time
It displays the table but my columns with the fields Location, User, Address and Time appear to be empty. Any reason why?
Try this
index=* sourcetype=* host=* Event=176 | stats count list(Location) as L, list(Event) as e, list(Address) as a, list(_time) as t by User | sort 20 - count | eval z=mvzip(l, mvzip(e, mvzip(a, t))) | rex field=z "(?<Location>[^\,]+)\,(?<Event>[^\,]+)\,(?<Address>[^\,]+)\,(?<Time>.*) | eval Time=strftime(Time, "%x %X") | table Location, Event, User, Address, Time