You didn't give us a lot to go on.
Assuming that the two record types would have differing sourcetype (which they might not), the following should work:
...your base search search here... | stats sum(src_bytes) AS Size by sourcetype
That would create a sum of the values in src_bytes, using sourcetype as a grouping, over the timeframe of your search. If you have another field differentiating the two categories, you should be able to use that instead of sourcetype.
Here's what i'm trying to do. I'm trying to get a ratio of events within a category, but I'm only concern with two events. One event is in the category IBC. The other events I want to consolidate those into one event in the category, to get a ratio of IBC to Non IBC traffic by srcbytes.
index=proxysg sourcetype=proxysg | stats sum(srcbytes) as MB by category | eval MB=round(MB/1024/1024,2) | category!=IBC Allow* as Non-Ibc, category=IBC Allow as IbC Allow
Is 'category' a field in your raw data, do you have it extracted, or is that piece of the search still pending? Can you provide a few sample records (anonymize the data set as required).
There are likely a few ways to get what you're looking for.
Category is an extracted field. This search didn't work for me at all. This is the basic search I started out with manipulating to try to yield some results.
index=proxysg sourcetype=proxysg | eval Category=case(like(category,"IBC Allow%"),"IBC",1=1,"Non-IBC") | stats sum(src_bytes) AS Bytes by Category | eval MB=round(Bytes/1024/1024,2)
The ratios may need to be calculated once we've appropriately categorized the data.
Is it possible to have it setup like this? I'm mainly concern with the layout of the results. The results of this shows a list of bases with the post, gets and the ratio of get/post:
index=proxysg sourcetype=proxysg | stats count(eval(method="POST")) as POST, count(eval(method="GET")) AS GET by base | eval RATIO OF GET/POST=(GET/POST
I don't know what your results look like, so not sure. That said, here's another search which should give you a ratio:
index=proxysg sourcetype=proxysg | eval Category=case(like(category,"IBC Allow%"),"IBC",1=1,"Non-IBC") | stats sum(eval(round(if(Category="IBC",srcbytes,0)/1024/1024,2))) AS IBCMB, sum(eval(round(if(Category="Non-IBC",srcbytes,0)/1024/1024,2))) AS Non-IBCMB | eval Ratio=IBCMB/Non-IBCMB
that GET/POST one I sent you showed results like this:
base POST GET RATIO OF GET/POST
1. base a 9 9 1
2. base b 6 2 0.33
3. base c 2 3 1.50