I have 4 event filed in a single line, now I need to filter the top 200 event for a particular event filed , which I can do by using " | top=200 ", mu main problem is in the statics and visualization it showing only the event and their count, I would like to have all the remaining 3 event filed which comes with it the data.
In the Table I would like to use the filter is it possible ??? like ordering..??
Thanks in advance.
Try something like this
<your base search> [search <your base search> | top limit=200 fieldX | table fieldX] |...remaning search
The subsearch will eliminate other values of fieldX which are not part of top 200.
host=PDT DataTag=HistoryData [ search host=PDT DataTag=HistoryData | top limit=200 ScannedNetwork: .SSID | table ScannedNetwork: .SSID] It returns no result, I am sure there is a data. at all time.
My doubt is when I use the top command it will table only one field in statics and visualization, How to add other fields in statics ??
host=PDT DataTag=HistoryData "ScannedNetwork: .Channel"=44| top limit=200 "ScannedNetwork: .SSID"
In statics and visualization it providing only SSID,count,percentage. I dont want percentage instead of that I want other event fields. and I also would like to know how to customize the visualization graph.. example instead of count I would like to have event field.