Not sure why you are using prestats=true - try something like this | tstats count as Count from datamodel=Cisco_Security.Secure_Malware_Analytics_Dataset where index IN (add_on_builder_index, ba_tes...
See more...
Not sure why you are using prestats=true - try something like this | tstats count as Count from datamodel=Cisco_Security.Secure_Malware_Analytics_Dataset where index IN (add_on_builder_index, ba_test, cim_modactions, cisco_duo, cisco_etd, cisco_multicloud_defense, cisco_secure_fw, cisco_sfw_ftd_syslog, cisco_sma, cisco_sna, cisco_xdr, duo, encore, fw_syslog, history, ioc, main, mcd, mcd_syslog, notable, notable_summary, resource_usage_test_index, risk, secure_malware_analytics, sequenced_events, summary, threat_activity, ubaroute, ueba, whois) sourcetype="cisco:sma:submissions" Secure_Malware_Analytics_Dataset.status IN ("*") by Secure_Malware_Analytics_Dataset.analysis_behaviors_title
| eventstats sum(Count) as Total
| eval Percent=100*Count/Total
| sort - Count | head 20