This works because the eval functions the same way as the syntax of the where command. The "%" replaces the "*".
Feel free to accept the answer if you think it clarified your question
... View more
you could pipe to the addinfo command, which will add fields for info_min_time and info_max_time to your events. And then you could do the math from there. Of course, you'd have to determine how to handle odd scenarios like "All Time"...
... View more
Hey you can try something like this
index=* | top host
The above query will be much slower if you want to get results faster then you can try tstats command.
| tstats count where index=* by host | sort- count
Let me know if this helps!
... View more