I have data in index "main" and sourcetype "app" and fields "content_name" and "os". So how can I create Top content by OS?
Like this:
index=main sourcetype=app | top content BY os
View solution in original post