I receive a bunch of messages that all are assigned to a group by the groupID. I also have a dynamic set of a range as a Multivalue-Field, that needs to be used as a filter for these messages. I tried it like this so far, but couldn't get any results: index=my_index sourcetype=my_source
| eval range=case("case1", mvrange(1,9), "case2", mvrange(10,19),...)
| where groupID in (range)
| stats count(_raw) as count by groupdID So if case1 happens, i only want to see the amount of Messages in the specified groupID-range, and so on.. Can anyone help me with that ?
... View more