Hello,
I am currently faced with the problem while creating stats for a specific event, where the event itself contains a custom source field. With my current search it will use the default source field rather than the custom source field of the event. How can I use this custom source field in the by clause of the stats command?
Here an event sample:
name=testEvent source=application1 eventType=type1
Here the search:
eventType=type1 | stats count as occurrences by source, eventType
Thanks in advance,
Rainer
... View more