I just sat through the hands on training, and am working on creating a table using Sumo's "parse using public/cisco/asa" - which gives me a bunch of fields. I'd like to arrange them in order on the messages tab, and am trying to use the command: "| fields dest_host,src_host,dest_port" - however, they're coming out alphabetical. Is there a way to specify the field order? And then I'd like to attach the search results in a table format to a panel and dashboard. However, I have to aggregate in order to be able to put it into a table. But I don't really want to aggregate - I want to have a running list of firewall denies - newest at the top. Is there a way to pretend to aggregate without aggregating? I want the same fields in my search messages tab to go into the table to the panel to the dashboard.
Please sign in to leave a comment.