Hi @isoutamo 

If i use | stats Count  i am getting value .But i want to show in pie chart. So i checked in the visualization it showing as no result.

Well, you can't show a single value in a pie chart. It makes no sense 🙂

So think about what you really want counted.

Also remember that the counting aggregation functions over specific fields (count and dc) count each value even within multivalued fields. That can produce results you'd not expect.

A run-anywhere example:

| makeresults count=100
| streamstats count
| eval count=tostring(count)
| eval digits=split(count,"")
| stats count as eventcount count(digits) as digitcount

It will generate a list of 100 numbers, then it will split the numbers rendered into text into separate digits. And finally it will count both the overall events (which predictably will be 100 since that's how many events we generated) and digits which will say 192 because you had 9 single-digit numbers, 90 two-digit numbers and one three-digit number which got split into 192 single digits spread among 100 events.

So be wary when using the count() and dc() aggregation functions.

Hi @PickleRick 

As i tried by condition .So its showing as by the correlationId.But i want to show the count of lastRunTime field count.If i use lastRunTime  the chart will show all the counts.But i need to club all the values into one.Below the query and i need to show values as 

LastRunTimeCount - 79 in the pie chart

content..lastRunTime="*" content.lastRunTime!="NA"  
[search index="Test" applicationName="scheduler" content.lastRunTime="*"  content.lastRunTime!="NA" | stats latest(correlationId) as correlationId | table correlationId|format]|rename content.lastRunTime as LastRunTimeCount | stats Count(LastRunTimeCount) as total by correlationId