In the below query, I'm using indexes "abc" and "def" and extracting the results only for the accounts which are present in index "abc" and not in "def" for each hour.
The query works fine but I've an additional requirement where I want to have a third column where I want the count of events coming only from index "abc" in each hour. I'm not able to add that condition, can someone please help?
(index=abc sourcetype=xyz event_type= "Only_Fail")
OR
( index=def (TYPE1=10 OR TYPE2=20) )
| eval dex1 = if(index=="abc", 1, 0)
| eval dex2 = if(index=="def", 1, 0)
| eval myaccounts = coalesce(CUST_ID, account_number)
| stats min(_time) as _time, sum(dex1) as dex1, sum(dex2) as dex2 by myaccounts | where dex2 = 0 and dex1 > 0
| timechart span=1h count(myaccounts) as total_accounts,sum(dex1) as all_fails
↧