I'll probably find my solution finally but if someone has something at hand, I'd be grateful for sharing 🙂
I have some results. Let's say they are like this:
| Count | FieldA | FieldB |
| 11 | a | |
| 12 | b | |
| 34 | c | 1 |
| 54 | d | 1 |
| 462 | e | |
| 0 | f | 3 |
| 12 | g | 3 |
| 4 | h | 3 |
I would like the values from the count column summed up but only for the events that have FieldB defined. For the rest, I want them lest split by FieldA. For those summed up I want the FieldA to be aggregated into a multivalue field
So effectively the output should be like
| Count | FieldA | FieldB |
| 11 | a | |
| 12 | b | |
| 88 | c
d | 1 |
| 462 | e | |
| 16 | f
g
h | 3 |
OK. I think I can get it done by adding another column being created conditionally either from fieldA or fieldB, then aggregating by this field. Something like this:
<initial search>
| eval tempfield=if(isnull(fieldB),"fieldA-".fieldA,"fieldB-".fieldB)
| stats sum(count) as count values(fieldA) as fieldA values(fieldB) as fieldB by tempfield
| fields - tempfield
Any nicer way?
