I have this query which lists only selected fields but when I create a scheduled search from this query, i am seeing the standard Time and Message fields but not the fields listed here. Is there a way to list these selected fields in the email alert report?
_collector=*.app.sce.prd-* and _sourceCategory=ecs and "TaskStatus: (RUNNING->STOPPED)"
| parse "STOPPED, task: *:*" as taskname,ignorePart
| fields _messagetime, taskname
Please sign in to leave a comment.