Assuming your fields do NOT have multivalues, give this a shot: ...| chart list(Fieild-A) as Field-A by Field-B
Thanks surya ,
I already tried "...| chart list(Fieild-A) as Field-A by Field-B" , did not help.
The output contains rows where each row of Field-A maps to all the rows of Field-B
hi @brahmasa,
Thanks for posting. Did @cusello 's fix work? If so, approve his answer and give him an upvote. Otherwise, let us know how your problem is and so others can try to help out!
Hi brahmasa,
try something like this:
index=my_index
| stats sum(Field-A) AS Field-A BY Field-B
then you can represent it as an histogram.
Bye.
Giuseppe
ok, but the value 12 for January is from a single row or it's the sum of more rows?
this is the main question: if it's a single value, you have to use:
index=my_index
| stats values(Field-A) AS A BY Field-B Field-A
| fields - A
if instead it's the sum of more rows, you have to use:
index=my_index
| stats sum(Field-A) AS Field-A BY Field-B
Bye.
Giuseppe
Hi Giuseppe,
Field-A and Field-B values are extracted by regx by me from logs. There is no sum .
index **|
| rex field=_raw "(?\s+\d{1,4}\s\w\w\s+|\s+\w+.\w+)" max_match=50
| rex field=Afields (?\d+)
| rex field=Afields (?\s\w+.\w+)
| table Field-A Field-B
Sorry if I cannot reach to explain:
I understand that Field-A and Field-B are extracted from your logs by regex.
The answer is related to the result you want:
e.g. the value "asssd" (that's in your previous message) has values 10, 4, 62, 87, what's the result you want:
?
Bye.
Giuseppe
Hi Giuseppe,
. one row with each value will be correct.
asssd 10
asssd 4
asssd 62
asssd 87
Thanks,
Hi brahmasa,
OK, try this:
index=my_index
| stats values(Field-A) AS A BY Field-B Field-A
| fields - A
and the visualize results using Histograms.
Bye.
Giuseppe
Thanks Giuseppe, ya have more rows. when I use
index=my_index
| stats values(Field-A) AS A BY Field-B Field-A
| fields - A I get the below as output.
10 abcdef
10 ddkjh
10 asasd
10 nanko
10 asssd
10 ddggg
10 fffff
10 fffht
10 xxxcc
4 abcdef
4 ddkjh
4 asasd
4 nanko
4 asssd
4 ddggg
4 fffff
4 fffht
4 xxxcc
62 abcdef
62 ddkjh
62 asasd
62 nanko
62 asssd
62 ddggg
62 fffff
62 fffht
62 xxxcc
87 abcdef
87 ddkjh
87 asasd
87 nanko
87 asssd
87 ddggg
87 fffff
87 fffht
87 xxxcc
Thanks Giuseppe,
The sum function returns some weird values as below .
eg:
1830
1830
1830
3660
1830
1830
1830
1830
3660
3660
1830
1830
1830
1830
3660
3660
1830
1830
Field-A contains below digits
10
4
62
87
79
22
57
6
1120
39
57
11
60
6
4
30
4
6
7
Hi brahmasa,
have you more rows for the same value in Field-B?
if yes in this way you have the sum of each value.
in instead you want a row for each record (also duplicated values), you could run something like this:
index=my_index
| stats values(Field-A) AS A BY Field-B Field-A
| fields - A
Bye.
Giuseppe
Let me understand your need:
In the first case you have to use
index=my_index
| stats values(Field-A) AS A BY Field-B Field-A
| fields - A
In the second case you have to use
index=my_index
| stats sum(Field-A) AS Field-A BY Field-B
Bye.
Giuseppe