hello
In my dashboard, I use a scheduled search with a filter token because i have a dropdown list which allow me to do a filter by SITE
But I need to execute the stats command after the loadjob because I need to pick up all the 10 events (head 10) for a specific site
If I am doing the stats command directly in the savedsearch, I pick up all the 10 events (head 10) but for different sites
Is there a solution to solve the problem directly in the saved search because if I am doing the stats command afer the loadjob, its not very useful to use a scheduled search
| loadjob savedsearch="admin:SA_Monitoring_sh:Performances - Compliance host"
| search SITE=$tok_filtersite|s$
| stats values(SITE) as SITE, count by host flag
| where isnotnull(flag)
| rename host as Hostname, flag_patch_version as "Patch level", SITE as Site
| fields - count
| table Hostname Site "Patch level"
| sort +"Patch level"
| head 10
thanks
↧