You can chain multiple commands into a single query by using the pipe (|) character. Any command except fields can appear before or after any other command. The fields command must always appear at the end of the command chain.
Example:
| chart count() as cnt by device_name | search cnt > 1000
This query displays the number of logs with the same device_name appearing more than 1000 times.
(label = logoff) AND hour (log_ts) > 8 AND hour (log_ts) <16 |
latest by user |
timechart count() by user
This query captures all the log messages labeled as logoff and those collected between 8 AM and 4 PM. It then displays the timechart of the recent users for the selected time-frame.