I have two different fields in logs coming from the same device. I want to count that stats for both fields by using the OR command but it's not running.
Following is the command:
|stats count by (Source-IP OR source_ip )
Source-ip and source_ip are two different fields
One can't use OR
in that context. Use a separate eval
to establish the by
field. For example,
| eval src_ip = coalesce(Source-IP, source_IP) | stats count by src_ip
Also you can get by segregating the data only from those two sources
index=* source=a OR source=b
|stats count by source
I downvoted this post because he wants to count by source_ip field. splunk's 'source' metadata field has nothing to do with that.
One can't use OR
in that context. Use a separate eval
to establish the by
field. For example,
| eval src_ip = coalesce(Source-IP, source_IP) | stats count by src_ip
Thanks!!!!
Rename one of the fields to match the name of the other, before doing the stats, so for example:
| rename Source-IP AS source_ip
| stats count by source_ip
Thanks!!!!