I am trying to list certain datamodels in a table along with their log count but I can't seem to find how to list the datamodel name itself in the table. I tried displayName and datamodelName. The query lists everything I want except for the datamodel so it's difficult to tell which data belongs to which datamodel.
| tstats summariesonly=t min(_time) as min, max(_time) as max count from datamodel=Web
| append
[| tstats summariesonly=t min(_time) as min, max(_time) as max count from datamodel=Malware]
| append
[| tstats summariesonly=t min(_time) as min, max(_time) as max count from datamodel=Intrusion_Detection ]
| eval "Start time"=strftime(min, "%c")
| eval "End time"=strftime(max, "%c")
| eval "Event count" = count
| fields "Start time" "End time" "Event count"
FINAL SOLUTION
| tstats summariesonly=t min(_time) as min, max(_time) as max count from datamodel=Web
| appendcols
[| datamodel Web
| spath displayName
| table displayName]
| eval datamodel_name = Web
| append
[| tstats summariesonly=t min(_time) as min, max(_time) as max count from datamodel=Malware
| appendcols
[| datamodel Malware
| spath displayName
| table displayName]
| eval datamodel_name = Malware]
| append
[| tstats summariesonly=t min(_time) as min, max(_time) as max count from datamodel=Intrusion_Detection
| appendcols
[| datamodel Intrusion_Detection
| spath displayName
| table displayName]
| eval datamodel_name = Intrusion_Detection]
| eval "Start time"=strftime(min, "%c")
| eval "End time"=strftime(max, "%c")
| eval "Event count" = count
| fields "Start time" "End time" "Event count" displayName
1 Solution
