Here is my current query:
index=abc* |stats count by user,date |eval highcount=(if count >=1000,1000,count)
This gives me output like this:
user1 200 200
user2 34 34
user3 1200 1000 --> I want to stop counting for this user once high count reaches 1000 and continue counting other users as it finds.
Thanks
... View more