Solved: Chart not displaying unique counts

sheloaha · ‎07-09-2019

I'm trying to chart the count of how many different methods are detected during a specific search. The methods are in different fields so I am using makemv and delim to create one field called "method". When I do chart or stats count by method I get a pie chart that contains equal sections. I need to have the actual count of each method instead. What am I missing?

woodcock · ‎07-10-2019

Your mistake is using transaction and also mvexpand try this instead:

basic search
| stats values(*) AS * BY UID 
| rename fieldA as Create, fieldB as Close, fieldC as Update, fieldD as PostClose, fieldE as Reopen 
| eval method=mvappend(Create,Close,Update,PostClose,Reopen)
| chart count BY method

View solution in original post

woodcock · ‎07-10-2019

Your mistake is using transaction and also mvexpand try this instead:

basic search
| stats values(*) AS * BY UID 
| rename fieldA as Create, fieldB as Close, fieldC as Update, fieldD as PostClose, fieldE as Reopen 
| eval method=mvappend(Create,Close,Update,PostClose,Reopen)
| chart count BY method

Chart not displaying unique counts

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor