I need to produce a report that shows average use of an app over a certain period of time. I noticed in the log the app name is not consistent. For example the same app will show up with several variations but it is the same app. So it might look like
Field 1
app=AAA
app=AaA
app=aaa
Here's what I have so far:
index=system action=successful application=app | stats count by date_month | stats avg(count) as avg_count | eval avg_count=round(avg_count) | fieldformat avg_count=tostring(avg_count,"commas")
I want the search to count all the variations of the app name but only use one value. So the desired output would be:
application avg_count
AAA 10
... View more