Quick tip when working with stats command

Categories:

When you're working with the stats command, it's often nice to rename the fields to drop the aggregatation type:

| makeresults count=3
| streamstats count
| eval foo="bar"
| stats latest(foo) as foo latest(count) as count

This gets annoying because of all the extra typing involved, and it violates the DRY principal.

Instead, try this next time:

| makeresults count=3
| streamstats count
| eval foo="bar"
| stats latest(foo) latest(count)
| rename latest(*) as *

Now you don't have to type every field name!