source=****** "Result from operation"
| rex field=message ".*?returnCode=(?<code>\d+).*"
| eval status=if(code=0000,"success","failure")
| stats count(eval(status="success")) as complete, count(eval(status="failure")) as incomplete
| eval success = complete, failures = incomplete, total=(success +failures), percent = (success/total)
| table total, complete, failures, percent
No matter what I try, when I try to add time to this table it does not display a seperate search with
|eval hour=strftime(_time, "%H")
|table hour
works. Why can't I add hour to the table above? What would I do instead?
... View more