hi all, this is my search, sorry newbie here:
source=*DT* index=index001
| dedup _raw
| convert rmcomma("duration")
| eval previous_month = strftime(relative_time(now(), "-1mon"), "%b")
| eventstats sum("duration") as Ads
| eval amount= tostring(Ads, "commas")
| eval results = previous_month + ": " + amount + " (previous month)"
| table results
Results are:
Jan: 28,783,685 (previous month)
Jan: 28,783,685 (previous month)
Jan: 28,783,685 (previous month)
Jan: 28,783,685 (previous month)
Jan: 28,783,685 (previous month)
... with hundreds of pages
Results show correct final number but it displays in multiple rows. I just need to show one single result.
Thank you
... View more