index=XX sourcetype=YY source=*/log/abc.log | dedup _time, bppm_message, bppm_nodename sortby -_indextime | rex field=bppm_operations_annotations "0x[a-z0-9]{8},(?<onepass>\w+),,(OPERATOR|OVERRIDE)_CLOSED" | rex field=bppm_operations_annotations "(OPERATOR_CLOSED:|OVERRIDE_CLOSED:|OWNERSHIP_TAKEN:)\s+(?<closed_with>(\w|\s|\-|\/|\.|\[|\])+)," | rex field=bppm_annotations "0x[a-z0-9]{8},[a-zA-Z0-9]+,(?<INC_CREATED_TSIM>.*)" | rex field=bppm_annotations "[0-9]{3}[A-Z0-9]{5},[a-zA-Z0-9]+,(?<MUTIPLE_CLOSURE_ANNOTATION>.*)" | rex field=bppm_annotations "0x[a-z0-9]{8},CME-remedy.mrl:execute AddIncidentToNotes,Incident (?<INC_CREATED_TSIM_2>(\w|\s|\-|\/|\.|\[|\])+) created by" | eval bppm_nar_close_multiple_events=if(NOT match(bppm_operations_annotations,"OVERRIDE_CLOSED") AND (NOT match(bppm_operations_annotations,"OPERATOR_CLOSED")),"yes", "no") | eval closed_with = if(isnull(closed_with) OR closed_with="Null", INC_CREATED_TSIM, closed_with) | eval closed_with = if(isnull(closed_with) OR closed_with="Null", INC_CREATED_TSIM_2, closed_with) | eval closed_with = if(isnull(closed_with) OR closed_with="Null", MUTIPLE_CLOSURE_ANNOTATION, closed_with) | fillnull value="Null" closed_with | eval time=strftime(_time,"%x-%H:%M:%S") | lookup onepasslk onepass | search bppm_ecdb_env="***" | fillnull value="Null" | stats count(bppm_message) as Total_count, count(eval(like(closed_with, "%INC%"))) as Closed-With-INC, count(eval(like(closed_with, "%CRQ%"))) as Closed-With-CRQ, count(eval(like(closed_with, "%PKE%"))) as Closed-With-PKE, count(eval(like(closed_with, "%WO%"))) as Closed-With-WO by username | sort -Total_count Abv query iam able to pull data as shown in the attached image but i want add 3 more columns Unique INC Count , Unique CRQ Count , Unique WO Count which show distinct count pls help on how to achieve this
... View more