I have the following search results and would like to add the count totals up. If I add the following line:
|addtotals fieldname=Blocks
I see the total, but the issue is for items with only one line, their count is doubled (for example, the second line with a count of 2899 has a total of 5798. How do I make sure single counts in the list don't get doubled when adding the totals?
Thx
![alt text][1]
Broken scenario using addtotals command that doubles the count for IPs that have only one domain listed
![alt text][2]
Using the search of
index=indexname
| stats count BY domain, src_ip
| sort 0 -count
| stats list(domain) AS Domain, list(count) AS count, sum(count) AS total BY src_ip
| sort 0 -total | head 10
| fields - total
| addtotals fieldname=Blocks
I get the following:
![alt text][3]
[1]: /storage/temp/125244-stats-list.png
[2]: /storage/temp/125246-stats-list-broken.png
[3]: /storage/temp/126279-stats-list.png
↧