I'm having trouble writing a search statement that sets the count to 0 when the service is normally.
This is my data example.
name status
A failed
B failed
C failed
A normally
B normally
C normally
Counting with name will also count normally.
I want to count status failed only.
In this case, everything is normally, I want to display 0.
I know this is not correct, but I want to do like this.
|eval A =if((status=failed),count,null)
|stats count as A
I can't think of a conditional statement that counts when the status is failed.
Try this ?
<your search> | stats count(eval(status="failed")) as failed_count by name
Try this ?
<your search> | stats count(eval(status="failed")) as failed_count by name
instead of if , use a case
|eval A=case(status=failed,1)
so A has counts only for failed status
Thank you for helping.
what do it mean (status=failed,1)?
I thought (status=failed,0).
hi you said 'I want to count status failed only.' hence I made status=failed as 0.
You can assign any value based on your need