Hi @Ram2 Another approach would be to use a single query without any subsearch/apppend etc: index=test-index (("ERROR" Code=OPT OR Code=ONP) OR ("WARN" "User had issues with code" Code=OPT OR Code...
See more...
Hi @Ram2 Another approach would be to use a single query without any subsearch/apppend etc: index=test-index (("ERROR" Code=OPT OR Code=ONP) OR ("WARN" "User had issues with code" Code=OPT OR Code=ONP code_ip IN(1001, 1002, 1003, 1004)) OR ("INFO" "POST" NOT "GET /authenticate/mmt" Code=OPT OR Code=ONP code_data IN(iias, iklm, oilk)))
| bin _time span=1d
| eval TOATL_ONIP1=if(match(_raw, "ERROR") AND (Code="OPT" OR Code="ONP"), 1, 0)
| eval TOATL_ONIP2=if(match(_raw, "WARN") AND match(_raw, "User had issues with code") AND (Code="OPT" OR Code="ONP") AND code_ip IN(1001, 1002, 1003, 1004), 1, 0)
| eval TOATL_ONIP3=if(match(_raw, "INFO") AND match(_raw, "POST") AND NOT match(_raw, "GET /authenticate/mmt") AND (Code="OPT" OR Code="ONP") AND code_data IN(iias, iklm, oilk), 1, 0)
| stats sum(TOATL_ONIP1) as TOATL_ONIP1 sum(TOATL_ONIP2) as TOATL_ONIP2 sum(TOATL_ONIP3) as TOATL_ONIP3 by Code _time
| eval Start_Date=strftime(_time, "%Y-%m-%d")
| table Start_Date Code TOATL_ONIP1 TOATL_ONIP2 TOATL_ONIP3 This determines the ONIP number based on fields in the event and then does a stats to count each ONIP by Code. Did this answer help you? If so, please consider: Adding karma to show it was useful Marking it as the solution if it resolved your issue Commenting if you need any clarification Your feedback encourages the volunteers in this community to continue contributing