Hi kozanic_FF,
it just needs a tiny little tweak by adding an additional stats at the end and it works even with single value and trellis 😉
Try this one:
index=_internal
| stats count by sourcetype
| append
[| stats count
| eval sourcetype=if(isnull(sourcetype), "none", sourcetype)]
| streamstats count AS line_num
| eval head_num=if(line_num > 1, line_num - 1, 1)
| where NOT ( count=0 AND head_num < line_num )
| table sourcetype count
| stats sum(count) AS count by sourcetype
again it is a run everywhere SPL, and you need to add random strings to the base search to make it work.
cheers, MuS
... View more