Members

|tstats count WHERE index=* OR index=_ BY index
 

Don’t forget time modifier is required

index=_internal sourcetype=scheduler savedsearch_name=* status=skipped | stats count by savedsearch_name reason
 

Look at the reason to know how to TB.

There is a bug that make a search being executed 2 times or more.
index=_internal sourcetype=scheduler scheduled_time=* savedsearch_name=* |stats count by scheduled_time, savedsearch_name | where count > 1

Sorry but a query would not be elegant.

TIME_FORMAT=%Y-%m-%dT%H:%M:%S.%3N%Z

TZ_ALIAS = A=GMT+1:00, B=GMT+2:00, C=GMT+3:00, D=GMT+4:00, E=GMT+5:00, F=GMT+6:00, G=GMT+7:00, H=GMT+8:00, I=GMT+9:00, K=GMT+10:00, […]

Impact: since there is no timezone, the logs will have the same timezone as the local user. Therefore in another timezone, the logs won’t have the same order. If no TZ is specified, perhaps we could hard code […]

Given an IP network address and it’s netmask represented under integer format, the bellow search will create a CIDR representation from the lookup without using built-in tools.

 
|inputlookup geoip | head […]