Hi,
Can anyone tell me why this comment is not working? I have all the mentioned fields in my data, but when I add stats max(_time) as last_time by host,sourcetype,action,dest,dest_ip,dest_port,dev,index,msg,src,src_ip,src_port,vendor_action |dedup last_time,host,sourcetype,action,dest,dest_ip,dest_port,dev,index,msg,src,src_ip,src_port,vendor_action
I'm not getting any result. Here is my full search:
src=122.15.158.173 sourcetype=cisco:asa "Deny*" |stats max(_time) as last_time by host,sourcetype,action,dest,dest_ip,dest_port,dev,index,msg,src,src_ip,src_port,vendor_action |dedup last_time,host,sourcetype,action,dest,dest_ip,dest_port,dev,index,msg,src,src_ip,src_port,vendor_action
... View more