I am having trouble understanding summary indexing, and keeping stats on container objects, but I am really interested on the stats on distinct objects in the containers. How do I cause summary indexing to keep stats on the distinct items?
Lets say I am an internet service provider (ISP) and I provide IP addresses that are grouped by network, and I wish to count addresses in use. I would summarize as follows:
index=blah | fields ip
| eval age_category=case(_timerelative_time(now(), "-60d@d") AND _timerelative_time(now(), "-30d@d") AND _time
↧