Hi
Assuming a sample of data from this example:
| makeresults count=5
| eval f1=random()%2
| eval f2=random()%2
| eval f3=random()%2
| eval f4=random()%2
| eval H=round(((random() % 102)/(102)) * (104 - 100) + 100)
H | f1 | f2 | f3 | f4 |
100 | 1 | 0 | 0 | 1 |
100 | 1 | 1 | 0 | 1 |
101 | 1 | 1 | 0 | 0 |
102 | 1 | 1 | 1 | 0 |
I want to built a chart which contains the distinct count of H for f1,f2,f3,f4 with 1
f1 | f2 | f3 | f4 |
3 | 3 | 1 | 1 |
Someone can help?
| foreach f1 f2 f3 f4
[| eval <<FIELD>>=if(<<FIELD>>==1,1,null())]
| eventstats dc(H) as d1 by f1
| eventstats dc(H) as d2 by f2
| eventstats dc(H) as d3 by f3
| eventstats dc(H) as d4 by f4
| stats values(d*) as d*
| foreach f1 f2 f3 f4
[| eval <<FIELD>>=if(<<FIELD>>==1,1,null())]
| eventstats dc(H) as d1 by f1
| eventstats dc(H) as d2 by f2
| eventstats dc(H) as d3 by f3
| eventstats dc(H) as d4 by f4
| stats values(d*) as d*
Didn't work.
one possible way was:
f1=1 | stats dc(H)
|appendcols [search f2=1 | stats dc(H)]
| appendcols [search f3=1 | stats dc(H)]
| appendcols [search f4=1 | stats dc(H)]
but it is not efficient
In what way didn't it work?
Here is a runanywhere example showing it working - I have used eventstats for the final command so you can see the random values used
| makeresults count=5
| fields - _time
| eval f1=random()%2
| eval f2=random()%2
| eval f3=random()%2
| eval f4=random()%2
| eval H=round(((random() % 102)/(102)) * (104 - 100) + 100)
| foreach f1 f2 f3 f4
[| eval <<FIELD>>=if(<<FIELD>>==1,1,null())]
| eventstats dc(H) as d1 by f1
| eventstats dc(H) as d2 by f2
| eventstats dc(H) as d3 by f3
| eventstats dc(H) as d4 by f4
| eventstats values(d*) as d*
my search isn't created with makeresults, I only put it as an example.
doesn't work because if I use:
search | foreach f1 f2 f3 f4 [| eval <<FIELD>>=if(<<FIELD>>==1,1,null())] | eventstats dc(H) as d1 by f1 | eventstats dc(H) as d2 by f2 | eventstats dc(H) as d3 by f3 | eventstats dc(H) as d4 by f4 | stats values(d*) as d*
the result of f1 is different comparing with the result if I use:
search f1=1 |stats dc(H)
Given the limited amount of information you have given, it is not possible to determine the reason for the difference. Your example data does not represent your real data closely enough. For example, do you have special characters / non-alphanumeric characters in your field names? Are your fields multi-valued or appear in your events more than once? If possible, please share a representative example of your data without showing any sensitive data.