Re: Combining counts within a search

bro_coded101 · ‎09-08-2022

My current search is:

`index`
| search source="Main Source" | fields identifier, status_label
| chart count over identifier by status_label

My output statistics for this search looks like this

Identifier | F1 | F2 | F3 | F4 | F5

ID_1 | 6 | 4 | 3 | 2 | 0

ID_2 | 0 | 3 | 7 | 9 | 4

I need to combine F1, F3, and F4 as Total_1 and F2 + F5 as Total_2 for each identifier.

I only want my table to show Identifier, Total_1, and Total_2

Is this possible?

andrew_nelson · ‎09-08-2022

You should be able to add an eval after your chart.

| eval Total_1=F1+F3+F4, Total_2=F2+F5
| table identifier Total_1 Total_2

bro_coded101 · ‎09-08-2022

When I use that eval the returning table no longer shows a numerical count. Instead, it shows text such as

ID_1 | F1F3 | F2

andrew_nelson · ‎09-08-2022

Are your status labels actually numbers ?

How to combine counts within a search?