I have a table called READER_NAME
this table has all info of reader
I want to query with location(PHX,SFO,SLC,THF.TKO) and get result like this
PHX:20
SFO:10
SLC:20
THF:100
TKO:10
if I do this query
index="access" SFO earliest=-20m latest=now | stats count(READER_NAME)
I only get result on SFO(SFO:10)
Any solution that I can get multiple counts with one query
Thank you in advance
I updated my answer. Check below.
if I query
index="access" earliest=-20m latest=now | table READER_NAME
It returns
PHX DC STRWL
SEOL VENDOR OFF 1
KUL.26 OFFICE NTH
SEOL.37 S ELEV LOBBY ENT
TPZ DC 1.1 LOBBY MANTRAP EXIT 1
PHX DC 2.2 S OFFICE ENT
TPZ DC 1.1 LOBBY MANTRAP EXIT 1
SEOL.19 NORTH LOBBY ENT
SEOL.36 N ELEV LOBBY ENT
and I want to get count on each location
if I try this query
index="access" earliest=-20m latest=now | stats count(READER_NAME)
it only returns count number
Thank you,
Try this:
index="access" SFO earliest=-20m latest=now | stats count by READER_NAME
Keep in mind that by having SFO in your search you might only get events that contain SFO.
Try it without the SFO in your search. Then write some regex to extract the Codes (SFO, PHX, SLC). Without knowing your data, see below.
index="access" earliest=-20m latest=now | rex field=READER_NAME (?
I want to get all locations with one query
the result should be like this
PHX:20
SFO:10
SLC:20
THF:100
TKO:10