LIke if I run this query:
index=myindex | stats count AS Total1 BY host | append [ search index=myindex | stats count AS Total2 BY source]
I want the statistics for Total2 to be on the same line as Total1, or am I just using the wrong command?
I just want to make two search queries of the same index to be able to compare them on the statistics tab.
It will always do that, but this will give you what you want:
index=myindex
| stats count AS Total1 BY host
| append
[ search index=myindex
| stats count AS Total2 BY source]
| stats max(Total1) AS Total1 max(Total2) AS Total2 by host, source
Thanks everyone. All were good ideas but they only let me accept one answer.
@summitsplunk, since you have already up-voted the remaining answers, you have done your part. Glad you could find the answers useful 🙂
Hi instead of append,try join
index=a
|stats count by host
|join type=left/inner host
[search index=b
|stats count by host]
@summitsplunk, depends on what is your use case and what is the required output.
index=_internal log_level=* sourcetype=*
| stats count AS Total1 BY log_level
| append
[ search index=_internal
| stats count AS Total2 BY sourcetype]
| fillnull value="-"
| stats max(Total1) AS Total1 max(Total2) AS Total2 by log_level, sourcetype
Or
index=_internal log_level=* sourcetype=*
| stats count AS Total BY log_level
| rename log_level as Field
| append
[ search index=_internal
| stats count AS Total BY sourcetype
| rename sourcetype as Field]
Or
index=_internal log_level=* sourcetype=*
| stats count AS Total BY log_level, sourcetype
| eventstats sum(Total) as Total_log_level by log_level
| eventstats sum(Total) as Total_sourcetype by sourcetype
Or
index=_internal log_level=* sourcetype=*
| stats count AS Total BY log_level, sourcetype
| chart last(Total) as Total by log_level sourcetype
| fillnull value=0
| addtotals col=t row=t labelfield=log_level label=Total
See if one of them fits your needs.
It will always do that, but this will give you what you want:
index=myindex
| stats count AS Total1 BY host
| append
[ search index=myindex
| stats count AS Total2 BY source]
| stats max(Total1) AS Total1 max(Total2) AS Total2 by host, source
@elliotproebstel, you should have fillnull to ensure null fields are still accounted in the final stats | fillnull value="-"
Nice correction, thanks!