I have a lookup table that consists of 5 fields (index, sourcetype, description, owner, os). I would like to perform a stats count against the sourcetype, while listing all the other fields in the lookup table. However, I cannot figure out how to search against my data to populate the stats count by sourcetype. Below is the search I have created.
|inputlookup Sourctype.csv|fields + index, sourcetype, desc, owner, os|stats count by sourcetype, index, desc, os
I believe you need something like this
|inputlookup Sourctype.csv|fields + index, sourcetype, desc, owner, os|eventstats count by sourcetype
THis will just a new columns count with count based on sourcetype, keeping all rows together.
I am not exactly sure what you are trying to get but maybe like this:
| inputlookup Sourctype.csv | stats count values(*) BY sourcetype
This counts the number of lines that contain each
sourcetype and lists the values of the other fields, too.