What am I doing wrong? I've tried several iterations of the following all which return 2 columns with a count of 0:
sourcetype=a OR sourcetype=b | stats count
count(eval(sourcetype=a)) AS a_count
count(eval(sourcetype=b)) AS b_count
OMG. I got it to work by changing '=' to '==' and putting the value in quotes! HOW FICKLE!!
sourcetype=a OR sourcetype=b | stats count as Total
count(eval(sourcetype=="a")) AS a_count
count(eval(sourcetype=="b")) AS b_count
I was looking for this for days! Thanks the_wolverine
Exact same situation and exact same reaction. OMG. 🙂
OMG. I got it to work by changing '=' to '==' and putting the value in quotes! HOW FICKLE!!
sourcetype=a OR sourcetype=b | stats count as Total
count(eval(sourcetype=="a")) AS a_count
count(eval(sourcetype=="b")) AS b_count
So glad I found this 🙂