Hello Experts,
This is a long searches, explored query that I am getting a way around.
If we do a simple query like this
index=zzzzzz
| stats count as Total, count(eval(txnStatus="FAILED")) as "Failed_Count", count(eval(txnStatus="SUCCEEDED")) as "Passed_Count" by country, type, ProductCode
| fields country, ProductCode, type, Failed_Count, Passed_Count, Total
This above simple query gives me a result table where the total belongs to the specific country and productCode i.e. individual Total
Now there is this field 'errorinfo' - what I want is that I want to show the 'errorinfo' if its "codeerror" as well in the above list like this
index=zzzzzz
| stats count as Total, count(eval(txnStatus="FAILED")) as "Failed_Count", count(eval(txnStatus="SUCCEEDED")) as "Passed_Count" by country, type, ProductCode, errorinfo
| fields country, ProductCode, type, Failed_Count, Passed_Count, errorinfo, Total
This table shows results like this below
| country | ProductCode | type | Failed_Count | Passed_Count | errorinfo | Total |
| usa | 111 | 1c | 4 | 0 | wrong code value | 4 |
| usa | 111 | 1c | 6 | 0 | wrong field selected | 6 |
| usa | 111 | 1c | 0 | 60 | NA | 70 |
How can I do so that I can see the results like this where Total remains the complete total of field txnStatus (FAILED+SUCCEEDED)
like below table - If I can achieve this I can do % total as well, if you see the Total belongs to one country - usa total shows usa total and canada total shows can total
| country | ProductCode | type | Failed_Count | errorinfo | Total |
| usa | 111 | 1c | 4 | wrong code value | 70 |
| usa | 111 | 1c | 6 | wrong field selected | 70 |
| can | 222 | 1b | 2 | wrong entry | 50 |
| can | 222 | 1b | 6 | code not found | 50 |
| country | ProductCode | type | Failed_Count | errorinfo | Total |
| usa | 111 | 1c | 4 | wrong code value | 70 |
| usa | 111 | 1c | 6 | wrong field selected | 70 |
Thanks in advance
Nishant
