hi @cmorrall
try like this
index="_internal" |head 2 |eval Apples=50,Bananas=44,results="Logout" |append [|makeresults |eval Apples=50,Bananas=44,results="Logout" ] |append [|makeresults |eval Apples=50,Bananas=44,results="Logout" ] |append [|makeresults |eval Apples=50,Bananas=44,results="Logging starting" ] |append [|makeresults |eval Apples=50,Bananas=44,results="Logout" ] |table Apples Bananas results |streamstats count as counting |where counting > [search index="_internal" |head 2 |eval Apples=50,Bananas=44,results="Logout" |append [|makeresults |eval Apples=50,Bananas=44,results="Logout" ] |append [|makeresults |eval Apples=50,Bananas=44,results="Logout" ] |append [|makeresults |eval Apples=50,Bananas=44,results="Logging starting" ] |append [|makeresults |eval Apples=50,Bananas=44,results="Logout" ] |table Apples Bananas results |streamstats count as counting1 |where results="Logging starting"|return $counting1]
Thanks
Harish
