Summary:
When using the table command, values are dropped if { is the first character.
index=someindex host="VVV" source=somesource earliest=-24h action
NOT( ACTION ="SUMMARY" OR ACTION="RESULT")
| dedup ID
|rename ID as "Rcrds Prcssd To Date"
| rename EVENT_DT as "Date Time" EVENT as "API EVENT"
|convert ctime(_time) as RunDate timeformat="%m/%d/%Y %H:%M %p"
|table ID,RunDate,ACTION, "API EVENT"
|SORT -ID
When the "API EVENT" field has a { starting value, the remaining values are dropped.
If I replace
|table ID,RunDate,ACTION, "API EVENT"
with
|fields ID,RunDate,ACTION, "API EVENT"
I see the { and the remaining values for "API EVENT"
Why is the table comm, and dropping values?
... View more