0

can you please help me with below ..

index=xyz 
| eval BlockedStatus =  
case(Like(src,"14.19.106.%") AND blocked=1 ,"Q Blocked", 
            Like(src,"150.29.121.%") AND blocked=1,"Q Blocked",
            Like(src,"14.19.106.%") AND blocked=0,"Q Not Blocked", 
            Like(src,"150.29.121.%") AND blocked=0,"Q Not Blocked",
            NOT Like(src,"14.19.106.%") AND blocked=1,"Non Q Blocked", 
            NOT Like(src,"150.29.121.%") AND blocked=1,"Non Q Blocked",
            NOT Like(src,"14.19.106.%") AND blocked=0,"Non Q Not Blocked", 
            NOT Like(src,"150.29.121.%") AND blocked=0,"Non Q Not Blocked")            
| stats count by eventtype BlockedStatus 
| rename eventtype as "Local Market", count as "Total Critical Events"

since we have data for where src=150.29.121.23 and blocked=1 but above query giving me result as

"Non Q Blocked" instead of "Q Blocked"

Not sure what went wrong here

warren
  • 32,620
  • 21
  • 85
  • 124
supriya
  • 21
  • 1
  • 6

1 Answers1

0

Something must be different in your data from the question because the query works in my sandbox.

enter image description here

RichG
  • 9,063
  • 2
  • 18
  • 29
  • thanks @RichG .. Now can see we have event count as Q Blocked , Q Not Blocked, Non Q Blocked and Non Q Non blocked .. Now i want every BlockedStatus should give total count in grouping manner .. eg. Q Blocked = 12 Local Market 11 foo 10 ES 11 GR ============== Total = 44 Q Not Blocked = 32 Local Market 10 foo 20 ES 15 GR ======== Total 77 I have added this in end of the existing query but unable to find the sum and pattern ... | top showperc=f BlockedStatus by eventtype |stats list(*) as * by BlockedStatus | sort -count – supriya Jan 14 '21 at 12:17