The logs are created by the same application and have the same fields.
What I am after is displaying the count of events from two hosts (of 10) as a single host in a timechart. This search breaks out authentications across 10 hosts, I want it to look like there are 9 hosts.
sourcetype=rsa_auth AUTHN_LOGIN_EVENT| timechart span=1d count by host
You could do it in the search with an eval to merge the two hosts' data into one:
sourcetype=rsa_auth AUTHN_LOGIN_EVENT | eval host=if(host="serverA.foo.com" OR host="serverB.foo.com", "single_server.foo.com", host) | timechart span=1d count by host
You could do it in the search with an eval to merge the two hosts' data into one:
sourcetype=rsa_auth AUTHN_LOGIN_EVENT | eval host=if(host="serverA.foo.com" OR host="serverB.foo.com", "single_server.foo.com", host) | timechart span=1d count by host