let's say we have an event with
and another event with
How can I count all events grouped by such kind of value combination even if the values appear in different fields?
I could use
count(eval(if((Field1="A" AND Field2="B") OR (Field1="B" AND Field2="A"), source, null())))
But there is no static list of possible values for the fields so it needs to be a dynamic search.
I'm expecting some kind of multivalue transformation but can't find a solution.
Thanks in advance
... | eval ValueA="No" | eval ValuePound="No" | foreach * [ eval ValuePound=if(($<<FIELD>>$="#"), "<<FIELD>>", ValuePound) | eval ValueA=if(($<<FIELD>>$="A"), "<<FIELD>>", ValueA) ] | stats count(eval(ValueA!="No")) AS NumValueA count(eval(ValuePound!="No")) AS NumValuePound