I am parsing through a lot of data, so I want to do this preferably in one search command.
1) I want to generate distinct counts field1 and field2, grouped by field3. 2) I also want to generate distinct count on field1 and field2, without a group by.
so for 1 I have something like this:
....| stats dc(field1) dc(field2) by field3
and for 2 I have something like this: ....| stats dc(field1) dc(field2)
How can I combine both of these into one search command? so that I have the following table
a 20 30 b 50 80 Total 55 90
Note that Total unique != sum of a+b, because of overlaps.
You could use append to join the results. Try something like this (then pipe to format as you need):
... | stats dc(field1) as "DC Field1" dc(field2) as "DC Field2" by field3 | append [search ... | stats dc(field1) as "Total Field1" dc(field2) as "Total Field2"]