So I'm using Enterprise Security and I've got a search string similar to this:
index=main | search username="admin" OR user="admin" | eval file_activity=if(isnull(file_activity), "unknown", file_activity) | stats count by _time, action, app, source,dest, host, Computer, Caller_User_Name, process_name, dest_asset, file_activity | eval _time=strftime(_time, "%Y-%m-%d %H:%M:%S") | fields _time, action, app, source, dest, host, Computer, Caller_User_Name, process_name, dest_asset, count, file_activity | sort - count
Now, that's great for pulling all the data in to the table. But when I go to add inputs to the panel to start narrowing this down, its just not working!
Is there some kind of mismatch with the name and the token name maybe? Or do I have to go create a whole data model and change this all to tstats?