I'm not able to populate the host field with information when using the search below. When I look at the events tab, I see these common fields shown such as host, ComputerName, ServerType but for some reason it's not populating in the table. Did I leave it out of my stats pipe and that's why it's not working?
Search:
index=example host=*fx* source="WinEventLog:Application" Type="Error" AND SourceName!="EmailManagerService" Message!="*Certificate enrollment for PROFLOWERS*"
| eval source_exception = SourceName.":".Message
| stats sparkline max(_time) as lasttime count(source_exception) as Total by source_exception
| eval lasttime=strftime(lasttime, "%Y/%m/%d %T.%3Q")
| table Total, lasttime, host, sparkline, source_exception
| sort -Total
Your stats
line throws away the host
value. Try something like this:
index=example host=*fx* source="WinEventLog:Application" Type="Error" AND SourceName!="EmailManagerService" Message!="*Certificate enrollment for PROFLOWERS*"
| eval source_exception = SourceName.":".Message
| stats sparkline max(_time) AS lasttime count(source_exception) AS Total values(host) AS host BY source_exception
| eval lasttime=strftime(lasttime, "%Y/%m/%d %T.%3Q")
| table Total, lasttime, host, sparkline, source_exception
| sort -Total
Your stats
line throws away the host
value. Try something like this:
index=example host=*fx* source="WinEventLog:Application" Type="Error" AND SourceName!="EmailManagerService" Message!="*Certificate enrollment for PROFLOWERS*"
| eval source_exception = SourceName.":".Message
| stats sparkline max(_time) AS lasttime count(source_exception) AS Total values(host) AS host BY source_exception
| eval lasttime=strftime(lasttime, "%Y/%m/%d %T.%3Q")
| table Total, lasttime, host, sparkline, source_exception
| sort -Total
Thanks @woodcock