I want to speed up a search by creating a data model and using tstats.
This is the search using the data model so far:
| tstats count from datamodel=WinEvents.Summary by _time, host, Summary.EventCode, Summary.SourceName, Summary.Type, Summary.Keywords span=1m | stats earliest(_time) as First latest(_time) as Last count by host, Summary.EventCode, Summary.SourceName, Summary.Type
On the original search, I used eval:
...| eval Type=if(Keywords=="Audit Success", Keywords, Type) | eval Type=if(Keywords=="Audit Failure", Keywords, Type)
Since that is a complex aggregate function (according to the documentation), how do I make that work with tstats?
... View more