I need to be able to display the Authentication.reason field in a |tstats report, but for some reason, when I add the field to the by clause, my search returns no results (as though the field was not...
See more...
I need to be able to display the Authentication.reason field in a |tstats report, but for some reason, when I add the field to the by clause, my search returns no results (as though the field was not present in the data). Except when I query the data directly, the field IS there. I have tried this with and without data model acceleration to no avail. This search returns zero results: | tstats count from datamodel=Authentication by Authentication.user, Authentication.app, Authentication.reason This search returns results in the format I need, except I need to query multiple indexes via the data model index=<indexname> tag=authentication
| stats count by user, app, reason