Based on what I've studied, I should be able to show a new field named item with a search such as the one below:
index=existing_index | eval item = "apple" | stats count by source | table source, item, count
I would expect output similar to the table below.
| source |
item |
count |
| a/b/123.log |
apple |
5 |
| a/c/915.log |
apple |
6 |
| a/b/574.log |
apple |
1 |
Instead, this happens:
| source |
item |
count |
| a/b/123.log |
|
5 |
| a/c/915.log |
|
6 |
| a/b/574.log |
|
1 |
Why did I not get what I expected?
