I have this search that produces a table with has a column that lists the number of segments to a schedule. The table is shown below![alt text][1]
[1]: /storage/temp/291933-table.png
I want to filter on the maximum number of segments (either 2 or 3). This is the query:
...search | table purchCostReference, eventType, Time, Segments, Carriers, BillingMethod, Origin, Destination, StopOffLocation | stats max(Segments) as TotalSegments by purchCostReference, eventType | search TotalSegments = 2 |sort Time
I can use the **max** method to get the maximum number of segments and use the where to filter on the number of segments that I need but not all of the data is returned, only the columns that I used for the **max** function and I don't want the column **TotalSegments** displayed.
I want to return only the rows that have 2 segments and not have an additional column of TotalSegments.
↧