I am stuck on creating a search. I need to sort my results by Agency and I need to list a count of all events as well as a count of all events broken down by the values in the Cause field. The search below accomplishes everything except showing the count of the Cause values.
index=dspro sourcetype=bootlogmaster force=*| stats values(Cause) count by Agency AgencyName
Any help would be greatly appreciated.
Thank you,
Don
Try this
index=dspro sourcetype=bootlogmaster force=* | stats count by Agency AgencyName Cause
| stats list(Cause) as Cause list(count) as count sum(count) as Total by Agency AgencyName
Try this
index=dspro sourcetype=bootlogmaster force=* | stats count by Agency AgencyName Cause
| stats list(Cause) as Cause list(count) as count sum(count) as Total by Agency AgencyName
That worked perfectly. Thank you very much.