your current search till stats command | stats count etc values(_raw) as _raw | table count _raw
This is throwing an error actually the stats command is being filtered later on the (amount) and being searched for (amount)>5000
cant optimize this search by moving the search forward as amount calculated on the case which is created in the query
cant share it as its a discrete query but the above command is also not working on a simple
sourcetype=vendorsales |stats count by productname | stats count etc values(_raw) as _raw | table count _raw
saying etc is invalid
Please reply sundar, still not done yet.
I tried your query without etc but it shows me the count .
I want the EVENT as output like host, sourcetype ,etc , not the chart/table.
I downvoted this post because this query is incorrect gives error etc not found
Please do not downvote people who are just trying to help you out here. This is not how voting etiquette works on Splunk Answers. Only downvote users who give you a solution that could be dangerous and possibly break something in your environment. For more background on how community culture works in this forum, visit this previous post:
It's difficult for people to give you an accurate answer if you don't provide as much information for them to work with. If you have an existing search with sensitive information, just anonymize anything as necessary so other users can at least see the syntax of the rest of the search string to give you a more complete solution.
My bad @ppablo I am new here .
I just down voted because i thought it set answers to zero so someone don't think its answered already.
no problem, thanks for responding. glad you found your answer and thanks for sharing it with the community.