Hello, I have a collection of logs (same source type) but some of them have different or additional fields. In order to figure out when they appear, I'm trying to create a Query that shows me which fields are distinct after a specific time range. Let's say I have 200 events from 13:00 to 14:00. Now I want to group by stats values(*) results by creating timerangefields: | eval timerange1=(13:00 to 13:15), timerange2=(13:15 to 13:30) so I can use |stats values(*) by timerange1, timerange2 I was considering using date_hour, date_minute etc.. but I think there must be an easier way as I would need addititional commands. Also I don't know the right format as I get everytime "Type checking failed. '-' only takes numbers. So do you have any suggestions how I could solve this? I'm thankful for any help Kind regards Alex
... View more