Re: events not showing

sulaimancds · ‎04-25-2023

| tstats summariesonly=true max(_time) as lastTime, count FROM datamodel=Change BY "All_Changes.action", "All_Changes.result_id", "All_Changes.user", "All_Changes.dest" | rename "All_Changes.*" as * | search result_id = 4732 | convert ctime(lastTime) as lastTime

i am running this command , there is output , but i want to see events and know more details , but events not showing

total number of events Complete 590,046 events

VatsalJagani · ‎04-25-2023

@sulaimancds - tstats command does not search events, as it is built for performance and not for showing events. Use datamodel command instead or a regular search.

| datamodel Change All_Changes search strict_fields=false

Kindly upvote if you find this answer useful!!!

sulaimancds · ‎04-25-2023

hi please provide me the full command

VatsalJagani · ‎04-26-2023

@sulaimancds - Try this as a full search and run it in "Verbose mode".

| datamodel Change All_Changes search strict_fields=false | search "All_Changes.result_id"=4732

This will show the events as you asked.

But if you need events as well as the results then do a regular search in "Verbose mode".

index=* tag=change | stats max(_time) as lastTime, count BY action, result_id, user, dest
| search result_id = 4732 
| convert ctime(lastTime) as lastTime

Kindly accept the answer and upvote if this helps you!!!

events not showing

search

Index This | I’m short for "configuration file.” What am I?

New Articles from Academic Learning Partners, Help Expand Lantern’s Use Case Library, ...

Your Guide to SPL2 at .conf24!