从下面的查询可以看到我们的事件计数为 Q Blocked , Q Not Blocked , Non Q Blocked 和 Non Q Non blocking ...
index=xyz
|eval BlockedStatus =
case(Like(src,"14.19.106.%") AND blocked=1 ,"Q Blocked",
Like(src,"150.29.121.%") AND blocked=1,"Q Blocked",
Like(src,"14.19.106.%") AND blocked=0,"Q Not Blocked",
Like(src,"150.29.121.%") AND blocked=0,"Q Not Blocked",
NOT Like(src,"14.19.106.%") AND blocked=1,"Non Q Blocked",
NOT Like(src,"150.29.121.%") AND blocked=1,"Non Q Blocked",
NOT Like(src,"14.19.106.%") AND blocked=0,"Non Q Not Blocked",
NOT Like(src,"150.29.121.%") AND blocked=0,"Non Q Not Blocked")
| top showperc=f BlockedStatus by eventtype
| stats list(*) as * by BlockedStatus
| sort 0 - count
现在我希望每个 BlockedStatus(Q Blocked、Q Not Blocked、Non Q Blocked 和 Non Q Nonblocked)都应该以如下分组方式给出总计数:
Q Blocked = 12 Local Market
11 foo
10 ES
11 GR
======================
Total = 44
Q Not Blocked = 32 Local Market
10 foo
20 ES
15 GR
======================
Total 77