Hi I can use the search string to get the statistics output
index=data sourcetype="data1" host=HOSTA | stats count by NAME | sort -count | head 3
Name Count
SRV1 800
SRV2 600
SRV6 700
Question is how I continue use string to query each of the output "Name" to display a new field "RULE" under "Name"
Example
index=data sourcetype="data1" host=HOSTA Name=SRV1 | stats count by RULE | sort -count
↧