Hello. if I run a search like this:
"..." | dedup 2 correlationId | eval EpochTime = _time | eval nowTimeEpoch=time() | eval minTime=0 | eval maxTime=1 | stats min(EpochTime) as minTime max(EpochTime) as maxTime | table minTime, maxTime, correlationId
I get epoch time values for `minTime` and `maxTime`, but nothing for the `correlationId`, which is a custom field extracted by a regular expression.
If I change the search by removing the `stats` component, I get a value for `correlationId`, and default dummy values `0` and `1` for `minTime` and `maxTime`. Apparently when `stats` is run, it does something to wipe out the value for `correlationId`. Why does this happen, and how can I get the `stats` functions to work harmoniously so that I can parse and see all the values?
Thanks for your help
↧