hi @to4kawa I don't know why but i am getting only one value in the table

you want to select STATUS and display by Pie Chart ,ID count?
what's this token $state$?

hi @to4kawa i got pie chart using @kamlesh_vaghela's solution. Now i want a drill down from that pie chart. The token $state$ is STATUS. On clicking the respective STATUS it should lead to a table containing all the ID's. I am trying for that, if you know how to do it can you please help me in this!!

I see, I'll count total DURATION.
my answer is updated.

Hi @to4kawa thank you so much for the response. It is working, but the output table is having only 3 rows. But the data has many testcases.

hi @anooshac, my answer is updated.

It is working , but some of the values are repeating in table. Why is that so?

JOB_NUM,JOB_TIME,JOB_STATUS,JOB_DURATION are dare to display multiple.
Do not you need them?

I need to group the IDs. Thanks a lot for responding. I got the answer using @kamlesh_vaghela's solution. I am trying to make a drill down from the pie chart .
The query is,
index=''abc" STATUS="$state$" | table TESTCASES{}.ID,TESTCASES{}.DURATION,TESTCASES{}.STATUS

But i am not getting proper answer. Do you know how to solve this?

my answer is updated.

Hi @kamlesh_vaghela thank you so much for your response. It worked!!
But when i execute |stats count(ID) by STATUS i get count more than the actual count of IDs. Is it event count?
If i give distinct_count the IDs which are repeated will not be added into the count.What will be the problem here?

@anooshac yes it is event count.

Try this for distinct ID count

|stats dc(ID) by STATUS

Hi @kamlesh_vaghela It is working! Once again thanks a lot!
I need one more help. I am trying to give one drill down from this result to display the IDs of respective status. I saved this result as pie chart. When i click on any status the drill down is displaying all the IDs instead of respective ID's of that status. My query is

index=''abc" STATUS="$state$" | table TESTCASES{}.ID,TESTCASES{}.DURATION,TESTCASES{}.STATUS

How can i correct this? can you please help me!!

@anooshac

Try this XML. You will get idea about drilldown.

<dashboard>
  <label>Pie Chart Drilldown Example</label>
  <row>
    <panel>
      <chart>
        <search>
          <query>index="abc" | rename TESTCASES{}.* as * | eval tmp = mvzip(mvzip(mvzip(ID,STATUS),TIME),DURATION) | mvexpand tmp | eval ID=mvindex(split(tmp,","),0),STATUS=mvindex(split(tmp,","),1),TIME=mvindex(split(tmp,","),2),DURATION=mvindex(split(tmp,","),3)| table JOB_NUM JOB_TIME JOB_STATUS JOB_DURATION ID TIME DURATION STATUS | stats dc(ID) as ID_Count by STATUS</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="charting.chart">pie</option>
        <option name="charting.drilldown">all</option>
        <drilldown>
          <link target="_blank">search?q=index="abc" | rename TESTCASES{}.* as * | eval tmp = mvzip(mvzip(mvzip(ID,STATUS),TIME),DURATION) | mvexpand tmp | eval ID=mvindex(split(tmp,","),0),STATUS=mvindex(split(tmp,","),1),TIME=mvindex(split(tmp,","),2),DURATION=mvindex(split(tmp,","),3) | where STATUS="$click.value$"| table JOB_NUM JOB_TIME JOB_STATUS JOB_DURATION ID TIME DURATION STATUS</link>
        </drilldown>
      </chart>
    </panel>
  </row>
</dashboard>

hi @kamlesh_vaghela i tried and i don't know why but the values are displaying twice in the table.

@anooshac

Can you please share search you implemented in drilldown? please mask confidential values if there.