I have a query that returns the number of accounts processed by hostnames, I will like to further breakdown the output to show the total number of messages sent for each account which is a sum of the number of records per accountID.
Is it possible to create a table with the column as each hostname and rows of the total number of processed activity by account? For Example:
Host1 host 2. host 3
AccountID1 6 34 54
AccountID2 100 56 230
AccountID3 20 250 550
This is my current search:
host="host*" Mail sent successfully | rex field=_raw ".renderTime.*connect.*send.*ms.(?.\w+)." | fields + host + AccountID | stats count by host
output:
host count
I also tried the query below but it only shows the total number of activity on all the hosts:
host="host*" Mail sent successfully | rex field=_raw ".renderTime.*connect.*send.*ms.(?.\w+)." | fields + host + AccountID | table AccountID, host | stats values(host) as Host count(AccountID) as "Total Messages Rendered" by AccountID | sort "Total Messages Rendered" desc
AccountID Host. Total Messages Rendered
45633. host1 826169
host2
12354. host2 305354
host3
I'm having a little trouble parsing things the way they're getting displayed above, but does this get you to what you're trying to reach:
host="host*" Mail sent successfully
| rex field=_raw ".*renderTime.*connect.*send.ms.(?.\w+)."
| fields + host + AccountID
| stats count by host, AccountID
| xyseries AccountID host count
This works perfectly, Thank you!
I added a field for the total number of requests sent by each host using "addtotal" . The issue is the total is the last column in the table but I want it to be the second column. I have tried using fields and table to rearrange the columns but does not seem to display the correct count.