I can get the following search to work...
sourcetype=MySource | eventstats max(DATA_CATEGORY) by source
...and it works, but if I try to define this as a named column I could add to props.conf, I get an eval error using...
sourcetype=MySource | eval MyColumn = eventstats max(DATA_CATEGORY) by source
I found another posts that suggested the following would work, but it failed to return anything at all
sourcetype=MySource | eventstats max(DATA_CATEGORY) by source as MyColumn | eval ShowColumn = MyColumn
so I'm close, but no cigar... any ideas?
... View more