I have a search that breaks down what files were accessed, how much data was retrieved and how many total requests for one particular field. Example search query below:
index="my_index" source="access_log" directory="/my_app/" | chart count(status_code) AS Requests, sum(file_size) AS TotalData, values(path_to_file) AS FileRequested BY directory
The above query produces something like:
directory Requests TotalData FileRequested
my_app 10 345677 html/index.html
images/happy_face.png
dynamic/more_happy.py
While this is fine if you only care about the TOTAL number for the entire directory, I would like to break it down so that I can display the number of requests and total data for each of the files requested listed by the directory. The directory should only be displayed once like the example above. Any suggestions? I've tried a couple of different ways but I cant get the directory to only display once and the rest of the rows populated with relevant data per file requested.