Hi all,
I am trying to search some logs that have event_name
and event_number
. I want to produce a table that shows a count of how many instances of the event_number
exist, but also show the event_name
field next to it for reference.
So a table with 3 columns:
event_number
, event_name
, count
I can get one or the other, but not both.
This works for one: index=index1 | chart count by event_number
This works for one: index=index1 | chart count by event_name
This doesn't work: index=index1 | chart count by event_name event_number
Nor this: index=index1 | chart count by event_number | fields event_number event_name count
Does what I am trying to achieve make sense?
Any suggestions?
Thanks
After lots of googling, I seem to have answered it myself
index=index1 | stats count(event_name) by event_name event_number | sort event_number
After lots of googling, I seem to have answered it myself
index=index1 | stats count(event_name) by event_name event_number | sort event_number