Hi Guys,
I have been struggling with this issue since few days, please provide me inputs. I have a search query
sourcetype=my_source | search my_search_filters | eval message=case(searchmatch("account error : primary account number is null*"),"account error: primary account number is null") | stats count by message
| append [ search message="account error : account not found in abc" | stats count by message ] | append [ search message="account error : xyz field missing in abc claims" | stats count by message]
Here, I need to add the sum of "account error: primary account number is null " search so I am taking it as eval to sum up the result and display it as number. with that I am appending rest of 2 sub searches. everything is working well and it displays something like this
**My Issue is:**
When I click to view the events of the individual searches, lets say I am selecting "account error : account not found in abc", the search events query is coming up like this
sourcetype=my_source | search my_search_filters | eval message=case(searchmatch("account error : primary account number is null*"),"account error: primary account number is null") | search message="account error : account not found in abc"
Why I am getting the eval search in the search events?? how to get rid of that in search events??
message count
account error: primary account number is null 5
account error : account not found in abc 26
account error : xyz field missing in abc claims 5
↧