I have some data that looks like:
Status Rec_Cnt Message
OK 723 File produced 723 records
ERROR 123 Directory does not exist
What I want is for `Status = "OK"` to only display the **Status** and **Rec_Cnt** fields. If the `status!="OK"`, then I want to display Status, Rec_Cnt *and* **Message**
so I tried
| ...base search...
| stats count by Status, Rec_Cnt
| where Status!="OK"
| stats count by Status, Rec_Cnt, Message
Which I didn't expect to work, and it did not. I know it is not that simple, but I am at a loss as to how to get what I am looking for.
Ideas on what I should try next?
↧