In the following query, I'm trying to display the count of events for each field (bar) from a single field (foo).
foo=* bar=* | stats values(bar) as Clients count as Amount by foo | eventstats sum(Amount) as AmountByClient by foo | stats sum(Amount) AS "Total Count", list(foo) as Clients list(AmountByClient) as "Client Count" by bar
On each foo field, I can get all the bars and stat the total amount of events for that group of bars, but I will like to get the count for each bar individually.
Thanks for the help!
↧