I have a column chart showing event counts based on host name from two different indexes:
index="main" OR index="wineventlog" | stats count by host
What I would like to achieve is to be able to show the hosts from the main index in one color and the hosts from wineventlog index as a different color.
I've used something like:
(index="main" OR index="wineventlog")
| chart count as total by host,index
| eval redCount = if(index=="main",total, 0)
| eval greenCount = if(index=="wineventlog", total, 0)
| fields host redCount greenCount
However all hosts were returned with a 0 value.
Any suggestions greatly appreciated.
↧