I would like to create a table similar to the following:
>10 23 3
10 4 1
9 3 0
8 3 0
.
.
.
1 433 57
The search is only: sourcetype="xyz" host=MA* Mthd="CreateReport"
So, want to know how many users created 1 report, 2 reports, ...., 10 reports, and more than 10.
sourcetype="xyz" host=MA* Mthd="CreateReport"
| stats count as reportcount by user
| eval reportcount=if(reportcount<10,tostring(reportcount),">10")
| stats dc(user) as numusers by reportcount
try this
sourcetype="xyz" host=MA* Mthd="CreateReport" | stats count by User | eval ReportCount=case(count=1,"1",count=2,"2"...and so on, count=10="10", 1=1,"10 or more") | stats count by ReportCount