keroro824
commented
10 years ago I see a lot of dedup error because of this. And it seems easy to fix. I'll do this one.
Closed keroro824 closed 10 years ago
keroro824
commented
10 years ago I see a lot of dedup error because of this. And it seems easy to fix. I'll do this one.
we only have field+optlist but not optlist+field eg. search eventtype=msad-successful-computer-logons user="$" dest_nt_domain="EDM"|table _time,host,src_ip|dedup consecutive=T src_ip|lookup SiteInfo host|table _time,src_ip,Site