Hi
I am looking for a way to get the number of events from host=ALL with **sourcetype=tps**. However it looks like i can't.
I am looking to display all the host that have a TPS sourcetypes. However the below search is giving me all the events for every sourcetype. Can i refine the search? in bold below is not having any impact
| metadata type=hosts index=mlc_log_drop **sourcetype=tps** | search host=* | rename host as log_drop_name | lookup PROJECT_GROUPINGS.csv log_drop_name OUTPUTNEW project | stats first(recentTime) as time, max(project) as project, first(totalCount) as total_events by log_drop_name | rename total_events as TPS_Events | eval TPS_Events=tostring(TPS_Events, "commas")| sort -time | fieldformat time = strftime(time,"%a, %d %b %Y %H:%M:%S") | head 5001
↧