This is the query I've written
| eval sr1=if(priority=1, 1, 0) | eval sr3=if(priority=3, 1, 0) | eval sr2=if(priority=2, 1, 0)
| table caseNumber sr1 sr2 sr3
| eventstats sum(sr3) as totalsr3, sum(sr2) as totalsr2, sum(sr1) as totalsr1
| stats first(totalsr1) first(totalsr2) first(totalsr3)
Output:
first(totalsr1) first(totalsr2) first(totalsr3)
0 1 128
But the column chart shows only 2 columns (first(totalsr2) first(totalsr3)). The data might change in future to have non-zero value in only ONE field..so I want to show column graph with zero values too and not omit them. What am I missing?
hi @ayushizile
You have to give one x-axis or you can add |transpose
to end of your query..
| eval sr1=if(priority=1, 1, 0) | eval sr3=if(priority=3, 1, 0) | eval sr2=if(priority=2, 1, 0)
| table caseNumber sr1 sr2 sr3
| eventstats sum(sr3) as totalsr3, sum(sr2) as totalsr2, sum(sr1) as totalsr1
| stats first(totalsr1) first(totalsr2) first(totalsr3) |transpose
Transpose is not working. It is giving incorrect results. what do you mean by "You have to give one x-axis "?
@ayushizile
It means in your query first value is taking like a x-axis .transpose will work or add another column with name or time anything ,..you will know the issue
Unfortunately, after transpose data is incorrect. It does not just invert row and columns. The values before and after transpose is different