Hi Community. I have this SPL: | tstats summariesonly=true allow_old_summaries=true count from datamodel=Intrusion_Detection.IDS_Attacks by IDS_Attacks.severity | rename "IDS_Attacks.*" as "*" | eval temp="" | chart useother=true first(count) over temp by severity | rename temp as count And its working fine. However, I have values for IDS_Attacks.severity in form of "high" and "High" appart from other values, wich i woudl like to keep intact. The SPL is counting the two values as different values, and I would like them to be merged into one count as "High". Tried this: | tstats summariesonly=true allow_old_summaries=true count from datamodel=Intrusion_Detection.IDS_Attacks by IDS_Attacks.severity | rename IDS_Attacks.severity as severity2 | eval temp="" | eval severity3 = if(severity2="high","High", severity2) | chart useother=true first(count) over temp by severidad2 | rename temp as count and its not working. Note I need the SPL to be showing a report from a dashboard. Thanks in advance.
... View more