I have 3 sources source1, source2, source3 and 5 sourcetypes sourcetype1, sourcetype2, sourcetype3, sourcetype4, sourcetype5 for a single host host1.
Where sourcetype1 belongs exclusively to source1 and sourcetype2 to source2 but source3 has 3 sourcetypes; sourcetype3, sourcetype4 and sourcetype5.
Likewise, I have 2 sources source4, source5 and 3 sourcetypes sourcetype6, sourcetype7, sourcetype8 for another host host2. With source4 having sourcetype6 and source5 having sourcetype7 and sourcetype8.
I wish to have a stats count like this:
---------------------------------------
host source sourcetype
---------------------------------------
host1 source1 sourcetype1
host1 source2 sourcetype2
host1 source3 sourcetype3
host1 source3 sourcetype4
host1 source3 sourcetype5
host2 source4 sourcetype6
host2 source5 sourcetype7
host2 source5 sourcetype8
Can someone please help?
maybe try this:
.... | stats values(sourcetype) as v_sourcetype by source host
It shouldn't be that simple but what's missing from
"your search"|stats count by host,source,sourcetype
It is that simple. Or, at least, that meets the request the OP wrote up.
try below if you want count:
...|stats count by sourcetype
and if you want all values as well then try:
...|stats values(*) as * count by sourcetype
Thank you 🙂
maybe try this:
.... | stats values(sourcetype) as v_sourcetype by source host
Thank you Adonio. It worked.