All - I am attempting to count two extracted fields that have the same name from two sourcetypes. I would like to count the number of users in sourcetype=A and sourcetype=B.
Here is my search so far :
sourcetype=phishing_recipients OR sourcetype=phishing_clickers | eval userID{sourcetype} = userID | stats dc(eval(userIDpishing_recipients)) as RECIPIENTS, dc(eval(userIDphishing_clickers)) as CLICKERS
I am not looking to join the two sources, rather just total the number of userIDs.
Thanks! Mike
Hello
Wouln it be as easy as:
...| stats dc(userID) by sourcetype
Regards
Hello
Wouln it be as easy as:
...| stats dc(userID) by sourcetype
Regards
Ahhh... always the simple way that avoids me. Ugh. Thank you!! Mike