Hello, thank you in advance for your time.
I need to perform the sum of similar fields that results in a chart.
My current query is the following:
...| chart count by path, auditJsonMessage.Code | rename path as "EndPoint"
| addtotals | rename Total as "Total Calls"
As a result it gives the following.
But what I want is for all the "EndPoints" that are even to be added and show a single row with the http code total.
| chart sum(count) as "Total Calls" by path, auditJsonMessage.Code
| rename path as "EndPoint"
Hi @Borys,
Instead of the chart command, you could first combine relevant data. Maybe this will work for you?
...
| stats count by EndPoint,Code
| stats sum(count) as sum, values(EndPoint) as EndPoints by count, Code
| rename sum as count
| nomv EndPoints
| chart sum(count) by EndPoints,Code
| fillnull value=0After the initial stats command the above block groups again but by count and code, keeping endpoint values and the related sum. The nomv command is needed to flatten the result of the EndPoints, so the chart command can't split that result again. The final command fills the remaining empty values.
I've tested the above with the makeresults command:
| makeresults format=csv data="EndPoint,auditJsonMessage.Code
/test1,200
/test1,200
/test2,400
/test2,200
/test3,201
/test3,303
/test4,201"
| rename auditJsonMessage.Code as Code
| stats count by EndPoint,Code
| stats sum(count) as sum, values(EndPoint) as EndPoints by count, Code
| rename sum as count
| nomv EndPoints
| chart sum(count) by EndPoints,Code
| fillnull value=0Which gave me the following output: