Okay, my summary index looks like this:
sourcetype="blah" | sistats count by email
I'd like to run a query against the index to determine the distinct number of email addresses that appear during a specific time period, as in:
index="summary" search_name="" earliest="-1d@d" latest="0d@d" | stats dc(email)
But it's coming up blank. Any thoughts?
Thanks! -S.
You have two choices here. In general, the arguments to stats
from a summary index populated by sistats
must be exactly the same, so the only valid search (prefix) is:
index="summary" search_name="" earliest="-1d@d" latest="0d@d" | stats count by email
You can find the distinct number of email values by adding stats count
to the search, which calculates the number of rows (distinct emails):
index="summary" search_name="" earliest="-1d@d" latest="0d@d" | stats count by email | stats count
Alternately, you could populate the summary index with:
sourcetype="blah" | sistats dc(email)