Hi,
let's say we have an event with
Field1=A
Field2=B
and another event with
Field1=B
Field2=A
How can I count all events grouped by such kind of value combination even if the values appear in different fields?
I could use
count(eval(if((Field1="A" AND Field2="B") OR (Field1="B" AND Field2="A"), source, null())))
But there is no static list of possible values for the fields so it needs to be a dynamic search.
I'm expecting some kind of multivalue transformation but can't find a solution.
Thanks in advance
Like this:
... | eval ValueA="No" | eval ValuePound="No" | foreach * [
eval ValuePound=if(($<<FIELD>>$="#"), "<<FIELD>>", ValuePound)
| eval ValueA=if(($<<FIELD>>$="A"), "<<FIELD>>", ValueA) ]
| stats count(eval(ValueA!="No")) AS NumValueA count(eval(ValuePound!="No")) AS NumValuePound
Give this a try
your base search | eval groupfield=mvsort(split(Field1."#".Field2,"#")) | stats count by groupfield
This results in a count by every value, so twice the amount of events.
This seems to work:
| eval mv='field1."#".'field2'
| makemv delim="#" mv
| eval groupfield=mvsort(mv)
| makemv delim="#" groupfield
| stats count by groupfield