HI ,
I have this query where i want my data in a specific format .
Here under each POD there are some 3-4 hosts ,whose total event count is 5 ...(highlighted)
Base query|stats count by host|addcoltotals
Similarly for POD 2 i have some different set of hosts whose counts is 10
Expected output:
Message POD1 POD2 Total
XYZ ........ 5.............10.......... 15
I used below query:
index="River" sourcetype=river_logs host="XYZ" OR "host="ABC" OR host="LM" OR "host="NOP" Message="*" |eval host=upper(host)|eval env=case( host=="XYZ" OR "host="ABC","POD1",host=="LM" OR "host=="NOP","POD2",1==1,"NOT MATCHED")|stats count by host env | chart values(count) over host by env
Which is giving result as :
host POD1....POD2
XYZ 2
LM ...............5
ABC 3
NOP ............5
WHICH IS NO THE expected format of result .(". "are nothing but the spaces to show how exactly result is popping)
Please help me with this one
... View more