My search :
index=test
| where Value>=95
| stats count(Value) as Events by Host
The result :
- if there are values above 95 a table will be created by Host and number of Events per host
- if there are no values above 95 i would like to return just a message "test" or an Event field as 0
↧