0

From below query can see we have event count as Q Blocked , Q Not Blocked, Non Q Blocked and Non Q Non blocked ...

index=xyz 
|eval BlockedStatus =  
 case(Like(src,"14.19.106.%") AND blocked=1 ,"Q Blocked", 
        Like(src,"150.29.121.%") AND blocked=1,"Q Blocked",
        Like(src,"14.19.106.%") AND blocked=0,"Q Not Blocked", 
        Like(src,"150.29.121.%") AND blocked=0,"Q Not Blocked",
        NOT Like(src,"14.19.106.%") AND blocked=1,"Non Q Blocked", 
        NOT Like(src,"150.29.121.%") AND blocked=1,"Non Q Blocked",
        NOT Like(src,"14.19.106.%") AND blocked=0,"Non Q Not Blocked", 
        NOT Like(src,"150.29.121.%") AND blocked=0,"Non Q Not Blocked")         
| top showperc=f BlockedStatus by eventtype 
| stats list(*) as * by BlockedStatus 
| sort 0 - count

Now I want every BlockedStatus (Q Blocked, Q Not Blocked, Non Q Blocked, and Non Q Non blocked) should give total count in a grouping manner as below:

Q Blocked = 12  Local Market
            11  foo
            10  ES
            11  GR
======================
Total     = 44

Q Not Blocked = 32  Local Market
                10  foo
                20  ES
                15  GR
======================
Total       77
supriya
  • 21
  • 1
  • 6
  • how does this differ from https://stackoverflow.com/q/65703855/4418 – warren Jan 14 '21 at 13:50
  • @Warren it almost same as earlier but its now i want the answer of next step like how to calculate the sum on basis of group.. – supriya Jan 14 '21 at 14:23

0 Answers0