how do I combine " |stats count by host " and "| stats distinct_count(host)" in one table?

October 1, 2018, 2:56 pm

≫ Next: GroupBy multiple fields within single result

≪ Previous: Why are we seeing an issue with an EXTREMELY busy forwarder bogging down our indexers?

I can search for events and run stats count by host. And I can run a search of distinct number of hosts. I want to combine both in one table. I want count of events by host and a count of hosts. I actually want to create an alert based on the number of hosts returned.

↧