The search result looks like this
<date>, COUNT_SENT=20, SUM_AMOUNT=50000
<date>, COUNT_RECEIVED=30, SUM_AMOUNT=10000
I need to get the total for both (COUNT_SENT + COUNT_RECEIVED) by hour, but this doesn't since they're in different events
This doesn't work
<search string> | eval total = COUNT_SENT + COUNT_RECEIVED | stats sum(total) by hour
rename doesn't work too.
I manage to only sum either the COUNT_SENT or COUNT_RECEIVED separately but not combined, I need the combined though.
... View more