I do believe I'm missing something fundamental here....
So, the search: index=X
returns many events where each event has many fields. I want to add a field to each search result event that contains the count of events returned in the search. So, I attempt this by doing: index=x | stats count (oneOfTheFieldNames) AS Total
. My expectation is that I'll see the list of events with all fields originally returned by the plain vanilla search index=X
but each event will have a new field named Total
whose value is the number of events returned in the search.
Instead, all I see is one event with one field named 'Total' whose value is the number of events that the plain vanilla search index=X
returns.
How do I compose a search such that I get the list of events with all fields originally returned by the plain vanilla search index=X
but with each event having a new field named Total
whose value is the number of events returned in the search?
Just use eventstats
instead of stats
index=x | eventstats count (oneOfTheFieldNames) AS Total
Try
... | eventstats count AS Total by oneOfTheFieldNames
hi
try with eventstats
Just use eventstats
instead of stats
index=x | eventstats count (oneOfTheFieldNames) AS Total
I thought I was missing something fundamental - thank-you - my search works as expected now