@ITWhisperer I tried the below search its not working at all. | where _time=$eventid$ OR EventID=$eventid$ OR Server=$eventid$ OR Message=$eventid$ OR Severity=$eventid$ When i keep this search i...
See more...
@ITWhisperer I tried the below search its not working at all. | where _time=$eventid$ OR EventID=$eventid$ OR Server=$eventid$ OR Message=$eventid$ OR Severity=$eventid$ When i keep this search in the pannel it gives all the desired results. But, when i search in the "textbox" like values of Severity(Critical or Warning or Information) its not working. when i search in the "textbox" like values of (EventID or Server or Message) it is working I think due to Severity is a custom field, so its not working i guess is this right? the EventID, Name as Message, host as Server fields are from _raw index=foo host=foo "$search$" OR Severity="$search$" | eval Severity=case(EventID="1068", "Warning", EventID="1", "Information", EventID="1021", "Warning", EventID="7011", "Warning", EventID="6006", "Warning", EventID="4227", "Warning", EventID="4231", "Warning", EventID="1069", "Critical", EventID="1205", "Critical", EventID="1254", "Critical", EventID="1282", "Critical") | rename Name as Message, host as Server | table _time EventID Server Message Severity any suggestions.