In my search, I am trying to display four columns: enr, firstTime, lastTime, and ErrorCount. However, it is currently not displaying anything in the ErrorCount column
Here is my query: host=X source=X ("Loader.swf - IOError loading" OR "Sending result file") | rex field=_raw "\x5BE=(?P[0123456789]+)\x5D" | eventstats count(eval(searchmatch("Loader.swf - IOError loading"))) AS bad count(eval(searchmatch("Sending result file"))) AS Complete by enr | where bad>0 and Complete=0| stats earliest(_time) as First, latest(_time) as Last by enr| convert ctime(Last) as LastTime, ctime(First) as FirstTime, auto(bad) as ErrorCount| table enr, FirstTime, LastTime, ErrorCount
How do I fix this?
Try this
host=X source=X ("Loader.swf - IOError loading")
| rex field=_raw "\x5BE=(?P<enr>[0123456789]+)\x5D"
| stats earliest(_time) as First, latest(_time) as Last count as ErrorCount by enr
| convert ctime(Last) as LastTime, ctime(First) as FirstTime
| table enr, FirstTime, LastTime, ErrorCount
The reason you werent getting anything in ErrorCount is becuase the stats command was only returing enr, FirstTime and LastTime.
Try this
host=X source=X ("Loader.swf - IOError loading")
| rex field=_raw "\x5BE=(?P<enr>[0123456789]+)\x5D"
| stats earliest(_time) as First, latest(_time) as Last count as ErrorCount by enr
| convert ctime(Last) as LastTime, ctime(First) as FirstTime
| table enr, FirstTime, LastTime, ErrorCount
The reason you werent getting anything in ErrorCount is becuase the stats command was only returing enr, FirstTime and LastTime.