Hi, I am hoping to use the search below, to get the counts for the categories in DIRECTION and the categories in TYPE.
If I end the search with just: | stats count DIRECTION
I get the correct counts for those.
If I end with just: | stats count TYPE
I get the correct counts for 'TYPE'.
I want to get to put them together, but no luck for: | stats count by DIRECTION TYPE
(no help if I put a comma between them).
The search and the 'evals' do pull the data desired.
Thanks,
index=aaa OR index=bbb sourcetype=ccc OR sourcetype=ccc
(extin "from=") OR (extout "from=") OR "virusname=" OR "cmd=judge module=access rule=pdrbl"
| eval DIRECTION = case (direction=="inbound", "Inbound", direction=="outbound", "Outbound")
| eval TYPE=case ( rule=="pdrbl", "pdrbl", match(virusname,"\S+"), "virus")
| stats count by DIRECTION TYPE
... View more