I'm trying to chart the count of how many different methods are detected during a specific search. The methods are in different fields so I am using makemv and delim to create one field called "method". When I do chart or stats count by method I get a pie chart that contains equal sections. I need to have the actual count of each method instead. What am I missing?
basic search | transaction UID | rename fieldA as Create, fieldB as Close, fieldC as Update, fieldD as PostClose, fieldE as Reopen |eval method="Create,Close,Update,PostClose,Reopen" | makemv method delim=","| mvexpand method | chart count by method
Your mistake is using transaction
and also mvexpand
try this instead:
basic search
| stats values(*) AS * BY UID
| rename fieldA as Create, fieldB as Close, fieldC as Update, fieldD as PostClose, fieldE as Reopen
| eval method=mvappend(Create,Close,Update,PostClose,Reopen)
| chart count BY method
Your mistake is using transaction
and also mvexpand
try this instead:
basic search
| stats values(*) AS * BY UID
| rename fieldA as Create, fieldB as Close, fieldC as Update, fieldD as PostClose, fieldE as Reopen
| eval method=mvappend(Create,Close,Update,PostClose,Reopen)
| chart count BY method