Users can appear in both fields. I would like to have a way to create stats about distinct users. That's why I wanted to set two aliases:
Then I would have to deal only with one field (C) in the search.
PS: Next to that, I don't know how to handle a search for distinct user over 2 fields 😉
I tried this out, but dc(c) is always equal to dc(a).
The fields A & B can both appear in one event. So I think that's why this command is just using the users of the field A.
I thought I can collect all users from A & B in this field and use dc(C) to get the total distinct usercount.
But it doesn't make sense via an alias, because there would be more than 1 value for the field C in each event?!
In the end, I'm just looking for way to dc(users). These users can appear in the fields A & B.
That's beyond an alias. You basically want to merge A and B into a multi-value field.
You can eval your way there though, like this:
index=_internal | eval sst = source."###".sourcetype | makemv sst delim="###" | stats dc(source) dc(sourcetype) dc(sst)
Imagine source is A, sourcetype is B, and sst is C. That eval should be includeable in a calculated field, but probably not the makemv. You can go macro of course.
ich wechsel mal die Sprache, macht's etwas einfacher 😉
Deinen Ansatz kann ich soweit nachvollziehen, allerdings scheint dc(sst) nicht wie gewünscht zu funktionieren. Soll hierbei jedes einzelne Element der multivalue fields gezählt werden?
| eval C=A."###".B | makemv C delim="###" | stats dc(A), dc(B), dc(C)
Außerdem ist "sst" oft leer.
Das ist der Plan. Example:
| stats count as foo | eval foo = "1-1,2-3,3-5" | makemv foo delim="," | mvexpand foo | makemv foo delim="-" | appendpipe [stats dc(foo)]
foo dc(foo) 1 1 2 3 3 5 . 4
dc(foo) ist korrekt, denn foo enthält 1,2,3,5 - also distinct count = 4.