Is it possible to do an eval after using timechart? I want to modify the count values in column A by dividing those values by 10. My query below is not performing the operator on column A.
(index=Wineventlog sourcetype="WinEventLog:security" EventCode=4740 OR (action=failure EventCode=4625 host=eee OR host=xyz) OR (host=asd (EventCode=516 OR EventCode=411) NOT clientIP=10.10.10.10) NOT user="-") OR (index=fff action=failure)
| eval output=coalesce(userMsg, lockoutUser, user, sAMAccountName)
| eval descrip=case(EventCode=4625, "A", EventCode=4740, "B", EventCode=411, "C", EventCode=516, D", EventCode="AVEN-FAIL", "E")
| timechart span=1h dc(output) as count by descrip
|eval count=if(descrip="A", count/10, count)
... View more