Hey guys, having a little trouble with this one.
How does one include the index in a table. This doesn't work:
(index=cwdswindows OR index=cwds) earliest_time="-7d"| stats max(_time) AS last_seen by host | sort host | convert timeformat="%m/%d/%Y %H:%M:%S" ctime(last_seen) | table host, last_seen, index
I know it is pretty obvious by which index I search that is obviously the resulting index, but it would be nice if when I am sent the alert I can visibly see the source of the host and time last seen in my data table. I'm guessing since index is not a field, but rather a source full of fields, that is the issue. What is the way around this?
Thanks for any help at all!