I need to create a baseline for what is common in an environment before creating a rule. The rule can be as simple as:   search index=x sourcetype=y NOT [search index=x sourcetype=y earliest=-14d | table user]   The issue is doing an historical search using a simple search. I've looked a few commands including transaction and streamstats but did not manage to find a way to run this search recursively.  The basic idea is to find a rare value on a specific field that is only seen less than a set threshold (e.g. 10 events) during a 14 days windows. ... View more

I'm attempting to run a query and I've run into a really weird situation where if I run a query with "head 10 | fields *" I'm getting results but if I use "stats" with any field it does not return results. For example, this query is returning the results:     index=main sourcetype=o365:management:activity Field1=Value1 | head 10 | fields *       This is returning no results:     index=main sourcetype=o365:management:activity Field1=Value1 | stats count by _time     Somehow this does work and returns the result   index=main sourcetype=o365:management:activity Field1=Value1 | head 10 | stats count by _time   I've looked into it and did not manage to find similar issues, did anyone see anything similar before? ... View more