Thanks surya ,

I already tried "...| chart list(Fieild-A) as Field-A by Field-B" , did not help.

The output contains rows where each row of Field-A maps to all the rows of Field-B

Hi Giuseppe,

sorry if I wasn't clear. below is exactly what I want.

ok, but the value 12 for January is from a single row or it's the sum of more rows?
this is the main question: if it's a single value, you have to use:

index=my_index
 | stats values(Field-A) AS A BY Field-B Field-A
 | fields - A 

if instead it's the sum of more rows, you have to use:

index=my_index
| stats sum(Field-A) AS Field-A BY Field-B

Bye.
Giuseppe

Hi Giuseppe,

Field-A and Field-B values are extracted by regx by me from logs. There is no sum .
index **|
| rex field=_raw "(?\s+\d{1,4}\s\w\w\s+|\s+\w+.\w+)" max_match=50
| rex field=Afields (?\d+)
| rex field=Afields (?\s\w+.\w+)
| table Field-A Field-B

Sorry if I cannot reach to explain:
I understand that Field-A and Field-B are extracted from your logs by regex.
The answer is related to the result you want:
e.g. the value "asssd" (that's in your previous message) has values 10, 4, 62, 87, what's the result you want:

• one row with the sum of all values
  asssd 163
• one row with the higher value asssd 87
• one row with each value: asssd 10 asssd 4 asssd 62 asssd 87

?

Bye.
Giuseppe

Hi Giuseppe,

. one row with each value will be correct.

asssd 10
asssd 4
asssd 62
asssd 87

Thanks,

Hi brahmasa,
OK, try this:

   index=my_index
    | stats values(Field-A) AS A BY Field-B Field-A
    | fields - A

and the visualize results using Histograms.

Bye.
Giuseppe

Thanks Giuseppe, ya have more rows. when I use

index=my_index
| stats values(Field-A) AS A BY Field-B Field-A
| fields - A I get the below as output.

10 abcdef
10 ddkjh
10 asasd
10 nanko
10 asssd
10 ddggg
10 fffff
10 fffht
10 xxxcc
4 abcdef
4 ddkjh
4 asasd
4 nanko
4 asssd
4 ddggg
4 fffff
4 fffht
4 xxxcc
62 abcdef
62 ddkjh
62 asasd
62 nanko
62 asssd
62 ddggg
62 fffff
62 fffht
62 xxxcc
87 abcdef
87 ddkjh
87 asasd
87 nanko
87 asssd
87 ddggg
87 fffff
87 fffht
87 xxxcc

Thanks Giuseppe,
The sum function returns some weird values as below .
eg:
1830
1830
1830
3660
1830
1830
1830
1830
3660
3660
1830
1830
1830
1830
3660
3660
1830
1830

Field-A contains below digits
10
4
62
87
79
22
57
6
1120
39
57
11
60
6
4
30
4
6
7

Hi brahmasa,
have you more rows for the same value in Field-B?
if yes in this way you have the sum of each value.

in instead you want a row for each record (also duplicated values), you could run something like this:

index=my_index
| stats values(Field-A) AS A BY Field-B Field-A
| fields - A

Bye.
Giuseppe

Let me understand your need:

• do you want a row for each Field-B (in this way you could have more rows for each Field-B);
• or a row for each distinct value of Field-B with the sum of all Field-A related to that Field-B.

In the first case you have to use

index=my_index
| stats values(Field-A) AS A BY Field-B Field-A
| fields - A

In the second case you have to use

index=my_index
| stats sum(Field-A) AS Field-A BY Field-B

Bye.
Giuseppe