I am trying to figure out a way to iterate through a list whenever the value is counted one time. I'm hoping it'll make mq so that way my query is speedier. Here's my current query:
index=* eventtype IN(valueA,valueB,valueC) | stats count by eventtype
and the result looks like this:
What I'd like is a query where if the query finds the value in the field one time, move on to find the next value. This is how I want the output to look like:
Any help would be appreciated.
index=* eventtype IN(valueA,valueB,valueC) | dedup eventtype | stats count by eventtype
View solution in original post
This is close to what I was looking for. Thank you!