Hi,
I have a si that is populated by this search:
| tstats count where index=test* groupby sourcetype, _time | rename count as events| timechart span=10d sum(events) by sourcetype | rename _raw as orig_raw
However I would like to put it in another si, to do this I need the orig_sourcetype fields preserved to do the second search.. Any thoughts on how to do this?
↧