Hi
In the saved search below, I retrieve the field "SITE" because I use a dropdown list in my dashboard in order to filter events by SITE
| stats avg(sent_data) as sent_data avg(received_data) as received_data, values(SITE) as SITE by USERNAME
| where sent_data < 50
| lookup XX.csv HOSTNAME as USERNAME output SITE
| stats dc(USERNAME) as NbSentReceveid
| appendcols
[| inputlookup host.csv
| lookup XX.csv HOSTNAME as host output SITE
| stats count as NbIndHost]
| eval Perc=round((NbSentReceveid/NbIndHost)*100,1)
| table Perc
I called the saved search from my dashboard like this
| loadjob savedsearch="admin:XX:YYY"
| search SITE=$tok_filtersite|s$
But it doesn'y works because I think I "lost" the fields SITE in my saved search
Is it true?
I tried to add | table Perc, **SITE** at the end of my search and to add | fields - SITE at the end of my loadjob command but it doesnt works
What is wrong please??
↧