@gcusello Yeah it's odd. Neither of those 2 return any stats results (I checked to make sure I copied the whole query, updated as appropriate for indexes etc.) The original query is only giving 20...
See more...
@gcusello Yeah it's odd. Neither of those 2 return any stats results (I checked to make sure I copied the whole query, updated as appropriate for indexes etc.) The original query is only giving 20 entries under stats (and far less results) which used to work so that's also weird. What we've been doing is something along the lines of this: index=test OR index=test2 source="insertpath" ErrorCodesResponse=TestError TraceId=* | fields TraceId | append [ search index=test "Test SKU" AND @mt !="TestAsync: Request(Test SKU: )*" | fields TraceId, @t, @mt, RequestPath | where isnotnull('@t') AND isnotnull('@mt') AND match('@mt', "Test SKU: *") ] | eval date=strftime(strptime('@t', "%Y-%m-%dT%H:%M:%S.%6N%Z"), "%Y-%m-%d"), time=strftime(strptime('@t', "%Y-%m-%dT%H:%M:%S.%6N%Z"), "%H:%M") | stats values(date) as date values(time) as time values(@mt) as message values(RequestPath) as Path by TraceId | where isnotnull(date) AND isnotnull(time) AND isnotnull(message) | table date, time, TraceId, message, Path This seems to work better than our old search but I'd prefer to try and figure out yours as it's not using those appended searches.