I've been at this for a couple days with very limited success.
Any tips on how to display 2 fields from a windows event log into a table. For example lets say error 1000 has to field param1 and param2 both are already indexed. I don't care about the other 90% of the message just these two lines. Lets say param1 is a name and param2 is a set of IP's. I would like for them to display as a table "think excel layout" as its easier for us to take action on vs looking at the log directly.
Hi @PublicName. I could use a little more information.
Do you want to display only single documents with no aggregation? If so, maybe you can add those fields to a saved search in Discover. Saved Searches can also be added to a Dashboard as a paginated table.
Correct, looking for 0 aggregation on the table. Just need two fields pulled from a single document to be displayed based on time. Column A = param 1 and Column B = param 2 both from a single document.
Saved search works and the two fields I want are displayed as expected. Just need that converted over to a visualization and for the life of me the brain and fingers don't want to make it so...
In visualize the data table option only is presenting options for sums, totals, min, max for example. Total is fine and all but it's not helpful in this case as it leaves me with no usable data in this instance.
Never mind.... Helps if you click add on the dashboard.
That did it thank you.
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.