Query:
index=xxx application_code=mobile NOT feature
|stats count by code message
|sort -count
|eval message-substr(message, 1, 40)
output:
code | message | count |
mobile-job-115 | application error occured | 100 |
mobile-app-180 | application is stable | 240 |
app-job-800 | information good | 34 |
project-job-100 | system error occured | 10 |
project-job-100 | system error occured | 20 |
project-job-100 | system error occured | 34 |
project-job-100 | system error occured | 23 |
project-job-100 | system error occured | 50 |
expected output:
code | message | count |
mobile-job-115 | application error occured | 100 |
mobile-app-180 | application is stable | 240 |
app-job-800 | information good | 34 |
project-job-100 | system error occured | 137 |
i want to get my table display count as one value for similar messages like for example(system error occured) as shown above.
And who says you can't do
| stats sum(count) ...
after what you already have?
But on the other hand - why not just do the substr() earlier in the pipeline?
Hi @PickleRick
i tried sum(count) but its not coming.
no values are displaying under count
Unless you rename the resulting column, it will be called sum(count), not count anymore.