I am trying to group events and get the delta _time. This search returns the events I want to group.
The events are XML. I cannot get the events to group by the **clientid**.
Here's what I have so far:
index="personalizedoffer" earliest="08/16/2016:00:00:00" (XML_INPUT_LOGGER AND offerInquiryRequest) OR "EnVisionResponse version" | xmlkv | stats range(_time) as duration by clientid
The clientid is a field in the XML body of the raw data. I used the `xmlkv` command to break up the XML into fields where I want to group by the clientid field. Is this the right way to approach this?
Thanks in Advance
↧