Hi vtsguerrero,
take this run everywhere example and adapt it to your needs:
index=_internal | stats count(eval(like(sourcetype, "splunkd"))) AS P count(eval(like(sourcetype, "%web%"))) AS I
This will count sourcetype="splunkd"
as P and sourcetype="*web*"
as I. So if you use this on the Status
field in your case.
hope this helps to get you started ...
cheers, MuS
The result table should be something like this:
| table _time, Channel, Code, StatusP, StatusI, StatusE
but the Status field in my database is only one field. I need to count and store'em individually
Hi vtsguerrero,
take this run everywhere example and adapt it to your needs:
index=_internal | stats count(eval(like(sourcetype, "splunkd"))) AS P count(eval(like(sourcetype, "%web%"))) AS I
This will count sourcetype="splunkd"
as P and sourcetype="*web*"
as I. So if you use this on the Status
field in your case.
hope this helps to get you started ...
cheers, MuS
Thanks a lot @MuS !
I knew how to the count, but for only one field, first time I use three fields at once, worked liked a charm! Tks!
Forgot to mention that I may have other fields in my table grid query....