I have a base search and there are multiple events that I can find depending on some set of the subtstring. Let's say A, B, C
I just want to get the counts of these events and calculate a single result from them.
This is what I got so far:
basesearch | stats count(eval(searchmatch("A should contain"))) as successA,
stats count(eval(searchmatch("B should contain"))) as failureB,
stats count(eval(searchmatch("C should contain"))) as failureC,
| eval overall = successA - failureB - failureC
| stats count by overall
...needless to say, it does not work.
Any simple ideas out there?
It's a very simple and basic question but I cannot find any entry or valid answer.
I appreciate any help.
Thanks,
Tunch
↧