The search below is taking anything that contains IBC Allow in the category and repurposing it to a new Category. Only thing is, I'm not able to capture the IBC Allows stuff as well from the category and repurpose it to the new Category. How can I accomplish this?
index=proxysg sourcetype=proxysg | eval Category=case(like(category,"IBC Allow%"),"IBC",1=1,"Non-IBC") | search Category=IBC | timechart per_second(eval(round(if(Category="IBC",src_bytes,0)*8/1024/1024,2))) AS IBC_Traffic_Mb by GW
... View more