hello
In a panel table, I need to display every sourcetype results even if the sourcetype result = 0
I have done an if condition but it doenst works
could you help me please?
`windows` sourcetype="Win" OR sourcetype=report OR sourcetype=abdm OR sourcetype=app OR sourcetype="flags" OR sourcetype="up"
| stats dc(host) as "Number of hosts" by sourcetype
| sort -"Number of hosts"
@jip31
Can you please try this?
`windows` sourcetype="Win" OR sourcetype=report OR sourcetype=abdm OR sourcetype=app OR sourcetype="flags" OR sourcetype="up"
| stats dc(host) as count by sourcetype
| sort -"Number of hosts" | append [| makeresults
| eval sourcetype="Win||report||abdm||app||flags||up",sourcetype=split(sourcetype,"||"), count=0
| mvexpand sourcetype
| table sourcetype count ] | stats sum(count) as "Number of hosts" by sourcetype
@jip31
Can you please try this?
`windows` sourcetype="Win" OR sourcetype=report OR sourcetype=abdm OR sourcetype=app OR sourcetype="flags" OR sourcetype="up"
| stats dc(host) as count by sourcetype
| sort -"Number of hosts" | append [| makeresults
| eval sourcetype="Win||report||abdm||app||flags||up",sourcetype=split(sourcetype,"||"), count=0
| mvexpand sourcetype
| table sourcetype count ] | stats sum(count) as "Number of hosts" by sourcetype
many thanks!!