I have a few files. They all have the same columns and look like this:
timestamp field1 field2
...
1544079360.84132 99
1544079363.52629 98
1544081067.48075 100
1544081377.48521 100
...
I want to count the files that both field1 and field2 reached 100 or above.
I tried:
... | search field1>=100 AND field2>=100
but it didn't work. I believe it's because there were null values.
So I tried filldown:
... | filldown field1, field2
but it's still not working.
I also tried eventstats and no luck. And I don't prefer eventstats as it gets very slow when data is increasing.
Any thoughts? Thank you!
Hi @fzhao2,
try this...
....|where field1>=100 OR field2>=100
Worked for me
| makeresults
| eval field1="99, , ,100"
| makemv delim="," field1
| mvexpand field1
| appendcols
[| makeresults
| eval field2=", ,98,100, ,"
| makemv delim="," field2
| mvexpand field2]
|where field1>=100 OR field2>=100
@fzhao2 ,
You might want an OR
instead of AND
since you dont have values for both fields at the same time.