Something like this?
source="wineventlog:*" NOT type=information | table _time Source Type
Something like this?
source="wineventlog:*" NOT type=information | table _time Source Type
Thank you so much! That's pointed me in the direction I needed.
Search code listed below:
source="wineventlog:*" type NOT information
There is a type value that is indexed as I can search on it.
Can you post your search here? Do you have Type field in your index OR evaluated field before you display as table.
Suppose if you have Type in your index, you can do this
Your Base Search...| table Time Source Type
Suppose if you are evaluating Type field then
Your Base Search ..| eval Type = YOUR EVAL EXPRESSION | table Time Source Type
If you provide more details then we can help you write the search as you need
Sorry I thought I added an image but must have forgot to. In fact I just tried now and it says I need more karma to do so.
Well I will try explain it here this is how it currently looks
Time Source SourceType
10:00am / Application / Application
I want it to look like this:
Time Source Type
10:00am / Application / Warning
Minus the / of course I used them to seperate the columns
more info please.
Use | table col1,col2,....
or
fields -col1 to remove column
or fields +col1 to add column