I've created a summary index to keep track of my customer IDs and what their last IP address was, however I'm getting very strange behaviour while trying to use the fields.
This search runs successfully and produces a full set of results:
index=last_ip_summary | table Last_IP Cust_ID
This search runs successfully and produces a full set of results:
index=last_ip_summary | stats count by Last_IP Cust_ID
But this search only gives me the Last_IP field in the table, the other column is totally blank
index=last_ip_summary | stats values(Cust_ID) by Last_IP
Surely this is impossible? Every event in the summary index has a Last_IP and a Cust_ID.
My summary index is populated with .... | sistats count by Cust_ID Last_IP
Any help would be greatly appreciated
↧