I have 4 fields in logs file: index, userId, dateTime, name. I want to show only 2 fields in the search for a given criterion, like this:
index="AAA" userId="user123" | chart dateTime, name by criterio1
But it gives error. If it were in SQL it would be like this:
select dateTime, name where criterio1;
instead of chart, you need to use, search command
index="AAA" userId="user123"
| search name = "criterio1"
| table userId, dateTime, name
or even better would be
index="AAA" userId="user123" "criterio1"
| table userId, dateTime, name
this would return all events where "criterio1" is present
