I'm wanting to group streamstats results by either one or two fields. Grouping by sourcetype would be sufficient. Grouping by index and sourcetype would be ideal.

This query works fine for a single sourcetype, however does not work for multiple sourcetypes.

The desired outcome is one record per unique sourcetype and/or index.

Example query:

| tstats count as event_count where index="aws_p" sourcetype="aws:cloudwatch:guardduty" by _time span=1m index sourcetype
| sort _time
| streamstats window=1 current=false sum(event_count) as event_count values(_time) as prev_time by index sourcetype
| eval duration=_time-prev_time
| eval minutes_between_events=duration/60
| stats min(minutes_between_events) as min_minutes_between_events avg(minutes_between_events) as avg_minutes_between_events max(minutes_between_events) as max_minutes_between_events by index sourcetype
| eval avg_minutes_between_events=round(avg_minutes_between_events,0)
| eval max_hours_between_events=round(max_minutes_between_events/60,2)

results for multiple sourcetypes

results for a single sourcetype