Solved: How to table the count of each instance of fieldA,...

stage1v8 · ‎06-10-2015

Hi all,

I am trying to search some logs that have event_name and event_number. I want to produce a table that shows a count of how many instances of the event_number exist, but also show the event_name field next to it for reference.

So a table with 3 columns:
event_number, event_name, count

I can get one or the other, but not both.
This works for one: index=index1 | chart count by event_number
This works for one: index=index1 | chart count by event_name
This doesn't work: index=index1 | chart count by event_name event_number
Nor this: index=index1 | chart count by event_number | fields event_number event_name count

Does what I am trying to achieve make sense?

Any suggestions?

Thanks

stage1v8 · ‎06-10-2015

After lots of googling, I seem to have answered it myself

index=index1 | stats count(event_name) by event_name event_number | sort event_number

View solution in original post

stage1v8 · ‎06-10-2015

After lots of googling, I seem to have answered it myself

index=index1 | stats count(event_name) by event_name event_number | sort event_number

How to table the count of each instance of fieldA, but also show fieldB as an additional column next to it for reference?

Observability | Use Synthetic Monitoring for Website Metadata Verification

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

.conf24 | Personalize your .conf experience with Learning Paths!