I have two different fields in logs coming from the same device. I want to count that stats for both fields by using the OR command but it's not running.
Following is the command:
|stats count by (Source-IP OR source_ip )
Source-ip and source_ip are two different fields
One can't use OR in that context. Use a separate eval to establish the by field. For example,
OR
eval
by
| eval src_ip = coalesce(Source-IP, source_IP) | stats count by src_ip
View solution in original post
Also you can get by segregating the data only from those two sources
index=* source=a OR source=b |stats count by source
I downvoted this post because he wants to count by source_ip field. splunk's 'source' metadata field has nothing to do with that.
Thanks!!!!
Rename one of the fields to match the name of the other, before doing the stats, so for example:
| rename Source-IP AS source_ip | stats count by source_ip
