Hey,
I'm having an issue trying to combine a field into one when searching a separate field. I have tried two separate searches, but I do not get results from either of them.
index=iis_aps cs_username!="-"| eval session1=coalesce(ASP_NET_SessionId,TransID) | stats count(session1) by cs_username
index=iis_apps | eval sessiongrp=case(ASP_NET_SessionId="*", "aspsess", TransID="*", "trans", 1=1, "Not Found") | stats list(host) by sessiongrp
I am trying to get the session id and transid from the results of searching for cs_username. So that the result would show the username and then the session id or transid. I am not sure what I am doing wrong. Any help is appreciated.
... View more