Hello,

Normally, I would use the following search to find my single value:

| tstats latest(_time) as latest where host=($SERVERNAME) by host
| eval noDataTime = now() - latest
| eval status = if(noDataTime>600,"HOST DOWN" ,if(noDataTime>300,"Warning","Available"))
| stats count(eval(status="Available")) AS Available

I am now forwarding the machine data to a summary index that my host names are now listed as "orig_host" in the fields. This will not allow me to run tstats, so I made the following search to find the status of the servers:

orig_host=("$SERVERNAME)
| stats latest(_time) as latest by orig_host
| eval noDataTime = now() - latest
| eval status = if(noDataTime>600,"HOST DOWN" ,if(noDataTime>300,"Warning","Available"))
| convert ctime(latest)

This will list the servers and show their status as HOST DOWN, Warning and Available. I would like to convert this to a single value, which in the past I used "stats count", but have already used "stats" in the search previously. How would I change my search of "orig_host" to a single value? Thank you!