My data looks something like this
The status can be either SUCCESS or FAILED, I want to count the total number of events that has status as FAILED and status as SUCCESS.
FYI: The status is not a direct field, I had to extract it out by using
| rex "status=(?<Status>[^,]+)"
Thanks it helped 🥳🥳🥳
your search and your rex...
| stats count by status