How to list selected fields in the email alert of a scheduled search?

Comments

2 comments

  • Avatar
    Harinder Bhandari

    You can aggregate the data and remove the _count field using the "field" operator. Can you try this search:

    _collector=*.app.sce.prd-* and _sourceCategory=ecs and "TaskStatus: (RUNNING->STOPPED)"
    | parse "STOPPED, task: *:*" as taskname,ignorePart
    | count by taskname, ignorePart
    | fields - _count

    0
    Comment actions Permalink
  • Avatar
    Jagadeesh Sunkara

    That worked but i am not getting the timestamp when the event happens (i need _messagetime)

    0
    Comment actions Permalink

Please sign in to leave a comment.