Hi All
How can I use _indextime field in table or stats command without renaming or converting it.
Not working
Ex: * | table host source sourcetype _time _indextime _raw
Its working if I rename the _indextime or convert the _indextime, But I want the results with _indextime as field
Working
Ex: * | eval indextime=_indextime | table host source sourcetype _time indextime _raw
Thank you
↧