it is my search
host="splunk.local"|bucket _time span=1mon | stats count by event
![alt text][1]
my question is :
To sum the total number of events per month in a seprate field
but when i use this query
host="splunk.local"|bucket _time span=1mon | stats count by event | stats sum(count) as total
![alt text][2]
the event field disappear i want to have event and count and the total field in my search.
i try this
host="splunk.local"|bucket _time span=1mon | stats count by event| eventstats sum(count) as total|table event total
but it shows the result in all the column, not just on row
how can i solve my problem?
tanx
[1]: /storage/temp/216811-2017-10-15-12-19-31.png
[2]: /storage/temp/216812-2017-10-15-12-56-36.png
↧