Let's try something and tell me if it work.
If your field is
you search | streamstats count as NbrOfConsecuviteEvents BY TypeEvent reset_on_change=true | reverse | streamstats count as nb BY TypeEvent reset_on_change=true | where nb=1
Hope it helps
Let's say your field is "eventName", try something like
| autoregress eventName | eval consecutiveEvent=if(eventName_p1=eventName, 1, 0) | streamstats current=t count(eval(consecutiveEvent=0)) AS eventGroup | stats values(eventName) AS eventName, count BY eventGroup
It would be best to assign each value to a field. Then you can do:
your_search | stats count by type_event
where type_event = bookingEvent OR type_event = failureEvent.
But just based on your raw data above, this should work:
your_search | rex field=_raw "(?<type_event>\w+)Event" | stats count by type_event
I have similar issue and I have one more column Date with the column he shared.
Date : Status
1/1/2018 : Green
1/2/2018 : Green
1/3/2018 : Red
1/4/2018 : Green
1/5/2018 : Red
Desired result is :
Status : Count
Green : 2
Red : 1
Green : 1
Red : 1