Is that you Kiran? 🙂
This works a treat.
No not all the fields will exist. I just need to add this in front:
notable
| eval user= if(isnull(user),"",user )
| eval dest= if(isnull(dest),"",dest )
| eval src= if(isnull(src),"",src )
| stats count by drilldown_search,dest,src,user
| foreach * [eval drilldown_search=replace(drilldown_search,"\$<>\$", <>)]
Shame I cannot condense the '| eval user= if(isnull(user),"",user )' etc into one statement where I do not need to know the names of $var$.
Thanks.
... View more