hi can someone please help me with this, ive been trying and searching but no luck. i want to split the "Delivered" field into 2 and stats count on each field.
ideally i want it to look like the below, so there will be the total count and then what makes up the total count should be split
Count| True| False
100 80 20
my search | mcType=delivery Dir=Inbound Sender="*" | chart sparkline count by "Sender" | sort count desc
hope it makes sense
Hi nic28,
you should share more information about your request.
Anyway you should try something like this
your_search
| stats count by Delivered
| addcoltotals labelfield=Delivered label=Total
| transpose header_field=Delivered
| fields - column
Bye.
Giuseppe
hi cusello , so that didn't do exactly what I wanted for this search, however that will be handy for another I need to do. this was actually a simple fix to my original search I just included "Delivered"
|chart sparkline count by "Sender", Delivered |and it gave me what I wanted. sorry for the half info, still new to this. thanks again
Hi @nic28,
Please try below query
my search | mcType=delivery Dir=Inbound Sender="*" | eval Deli_yes=if(Delivered="True", 1, 0 ) | eval Deli_no=if(Delivered="False", 1, 0) | stats count AS TotalCount, sum(Deli_yes) AS True, sum(Deli_no) AS False by Sender
I hope this helps.
Thanks,
Harshil
think I forgot to give more info. so im looking at all mails coming in from a particular sender. but some mails get delivered and others don't. so the true is delivered and false not. the count just gives the total amount obviously.