23 Jul 2024 08:36 AM - last edited on 24 Jul 2024 07:06 AM by MaciejNeumann
20 Nov 2024 09:59 AM
Hello @biswajit-roy76,
Could you provide more context to your question so our DQL experts can investigate your specific use case?
20 Nov 2024 03:48 PM
You can "append" the search result for another log source and count at the end.
Example:
fetch logs
| filter dt.system.bucket == "infra_logs"
| append [
fetch logs
| filter dt.system.bucket == "app_logs"
]
| summarize count(), by:{dt.system.bucket}
25 Nov 2024 10:40 AM
You could use a countIf aggregation function in DQL summarize command, e.g. :
fetch logs
| summarize messages=countif(log.source == "/var/log/messages"), syslog=countif(log.source == "/var/log/syslog")
| fieldsAdd syslog_is_larger = syslog > messages