Quick tip when working with stats command

Categories: 

When you're working with the stats command, it's often nice to rename the fields to drop the aggregatation type:

| makeresults count=3 | streamstats count | eval foo="bar" | stats latest(foo) as foo latest(count) as count

This gets annoying because of all the extra typing involved, and it violates the DRY principal.

Instead, try this next time:

| makeresults count=3 | streamstats count | eval foo="bar" | stats latest(foo) latest(count) | rename latest(*) as *

Now you don't have to type every field name!