Here is my current query:
index=abc* |stats count by user,date |eval highcount=(if count >=1000,1000,count)
This gives me output like this:
user1 200 200
user2 34 34
user3 1200 1000 --> I want to stop counting for this user once high count reaches 1000 and continue counting other users as it finds.
First of all, what is the purpose and duration of the search?(Do you want to count the number of users?)
Please provide a sample log.
How many items are you searching for?