I'm trying to find a way to combine multiple searches into 1, but all efforts have failed. I'd like to run the equivalent of | stats count by column against multiple columns. Sample data and desired results below. Any pointers would be greatly appreciated.
There may be a better way to do this but I think this works.
| eventstats count as T1count by T1
| eventstats count as T2count by T2
| eventstats count as T3count by T3
| eventstats count as T4count by T4
| eval T1 = T1."!".T1count
| eval T2 = T2."!".T2count
| eval T3 = T3."!".T3count
| eval T4 = T4."!".T4count
| stats values(T1) as T1values values(T2) as T2values values(T3) as T3values values(T4) as T4values
| rex field=T1values "(?<T1>.*?)!(?<T1_count>.*?)$"
| rex field=T2values "(?<T2>.*?)!(?<T2_count>.*?)$"
| rex field=T3values "(?<T3>.*?)!(?<T3_count>.*?)$"
| rex field=T4values "(?<T4>.*?)!(?<T4_count>.*?)$"
| table T1 T1_count T2 T2_count T3 T3_count T4 T4_count
Have you tried appendcols with all searches? If not then can you please try it? Just add stats count in all searches and rename count using unique name across all the searches. like | stats count as Count_T1 .