Hello
i have a raw with 5 columns from the same type and i want to compare the value of the cells of this 5 columns. how can i do it ?
thanks
use foreach
and match()
can you please explain how it will work ?
see command reference
| makeresults
| fillnull A B C D
| eval E=1
| foreach A B C D E
[ eval flag_<<FIELD>>=if(match('<<FIELD>>',"0"),"yes", "no")]
this is my query:
index="prod" eventtype="csm-messages-dhcpd-lpf-eth0-sending" OR eventtype="csm-messages-dhcpd-lpf-eth0-listening" OR eventtype="csm-messages-dhcpd-send-socket-fallback-net" OR eventtype="csm-messages-dhcpd-write-zero-leases" OR eventtype="csm-messages-dhcpd-eth1-nosubnet-declared"
| bin span=1s _time
| chart count OVER _time BY eventtype
| foreach eventtype [ eval flag=if(match('<<eventtype>>',"0"),"yes", "no")]
im getting flag "no" for every raw even if there are mismatches ..
what am i missing ?
sorry, I've a mistake. I fix it.
index="prod" eventtype="csm-messages-dhcpd-lpf-eth0-sending" OR eventtype="csm-messages-dhcpd-lpf-eth0-listening" OR eventtype="csm-messages-dhcpd-send-socket-fallback-net" OR eventtype="csm-messages-dhcpd-write-zero-leases" OR eventtype="csm-messages-dhcpd-eth1-nosubnet-declared"
| timechart span=1s count BY eventtype
| foreach eventtype
[ eval flag_eventtype=if(match('eventtype',"0"),"yes", "no")]
still same results..
what is the 0 stand for ?