I think you want to replace
request_status=alerted OR blocked
with
request_status=alerted OR request_status=blocked
I think you want to replace
request_status=alerted OR blocked
with
request_status=alerted OR request_status=blocked
all i'm trying to see is the results for both alerted and blocked split by each violation but every time i run this search it seems to on populate either one or the other. so ill get it split by the violation type but if there is results in the alerted then blocked will say zero and vice versa.
i have tried this but it always seem to just populate one value (Blocked or Alerted) and leaves the other one "0"
Can you post the two searches and the results they get you? I've written a nearly identical search to yours and it works perfectly.
Or possibly I'm misunderstanding something. What is the universe of the possible values for violations
? By using that at the end of your stats
clause, that's what you're splitting your results over.