Thanks. However I'm having a bit of trouble with the sentinel value implementation (found on pages 25-27).
index=myIndex AND sourcetype=mySource AND ("string1" OR "string2") | eval split=if(match(_raw, ".*string1*."), "Requests", "Timeouts") | inputlookup append=true Timeouts | chart count by split
The above query returns 'The lookup table Timeouts is invalid'. What am I missing?
... View more