I want to sum the output that is stored in summary index and display the output in dashboard which shows sum of all counts for one week.
Below is the code i am using but the output comes as the previous day output stored in summary index:
index=*1 search_name="Daily File Transfer Counts" | dedup BASE_FILE_ID |table Date USER_NM BASE_FILE_ID FILE_NM File_Count_By_Day| bin _time as week span=7d| stats sum(File_Count_By_Day) as oneweek by XMIT_AUTH_USER_NM,XMIT_BASE_FILE_ID,XMIT_BASE_FILE_NM| eval week=strftime(_time,"%Y - %U")
My code in Daily File Transfer Counts is as below:
index=*1 sourcetype=s source="p" "File Catalog" "Completed"| dedup FILE_ID| eval Date=strftime(_time, "%b/%d/%Y ")| stats count(FILE_ID) as "File_Count_By_Day" by Date,XMIT_AUTH_USER_NM,XMIT_BASE_FILE_ID,XMIT_BASE_FILE_NM
I am looking to count all the file that was transfers within a week for particular file(sum of File_Count_By_Day within a week)
These counts will always be 1!
BASE_FILE_ID doesn't appear to be a field output by your summary query so you won't get any results? _time or week doesn't appear in your by list for your stats so doesn't affect the grouping
View solution in original post
Thanks for your help @ITWhisperer i got why the count was always coming as 1.