Hi all.
I have a search that begins with:
index="first" OR index="second" sourcetype=*
I need to show a table with a lot of columns. The first should be the total events in a particular sourcetype (data1
). Somebody can suggest please an eval
syntax to do that?
Regards.
index=first OR index=second | stats count by sourcetype | fields count sourcetype
Maybe I'm misunderstanding the question.
EDIT: Second Attempt:
index=first OR index=second |
stats count by sourcetype field1 field2 field3 |
eventstats sum(count) as total by sourcetype |
fields total sourcetype field1 field2 field3
index=first OR index=second | stats count by sourcetype | fields count sourcetype
Maybe I'm misunderstanding the question.
EDIT: Second Attempt:
index=first OR index=second |
stats count by sourcetype field1 field2 field3 |
eventstats sum(count) as total by sourcetype |
fields total sourcetype field1 field2 field3
Thanks. I need something like:
index="first" OR index="second" | table EVENTSCOUNTINSOURCETYPEDATA1, field5, field3
Maybe second attempt above is what you're after
Just a point of advice: Don't use wildcards unless absolutely necessary. In this case, it really isn't doing anything for you at all. Without specifying sourcetype=*
it will return all sourcetypes. But it's a horrible habit to get into. Wildcards are evil and should be avoided whenever possible.
Thanks for the advice!