Hi all,
Is it possible to combine several field variables into one variable but keep it in the same field? Here is an example:
If my result output looks like so:
Successfully 5
Failed 10
Failure 5
Success 30
I would like to be able to combine the variable "Successfully" and "Success" (along with their corresponding count value) and name the variable "Success" ... essentially this is what I would like to display when combining terms and values:
Success 35
Fail 15
I hope this makes sense?
Thank you!
Based on your comments below the question lets say if the field myField
has strings Successfully, Success, Failure and Failed
and count
has its count then can you try below:
your stats query to return myField and count
| eval newField=case(myField="Success" OR myField="Successfully", "Success", myField="Failure" OR myField="Failed", "Fail", 1=1, "dummy")
| stats sum(count) by newField
OR if you wanna reuse the field, try if this works for you:
your stats query to return myField and count
| eval myField=case(myField="Success" OR myField="Successfully", "Success", myField="Failure" OR myField="Failed", "Fail", 1=1, "dummy")
| stats sum(count) by myField
Based on your comments below the question lets say if the field myField
has strings Successfully, Success, Failure and Failed
and count
has its count then can you try below:
your stats query to return myField and count
| eval newField=case(myField="Success" OR myField="Successfully", "Success", myField="Failure" OR myField="Failed", "Fail", 1=1, "dummy")
| stats sum(count) by newField
OR if you wanna reuse the field, try if this works for you:
your stats query to return myField and count
| eval myField=case(myField="Success" OR myField="Successfully", "Success", myField="Failure" OR myField="Failed", "Fail", 1=1, "dummy")
| stats sum(count) by myField
Yes eval can be used and if other fields are not required they can be removed:
eval Success=Success+Successfully| eval Fail=Failure+Failed | fields - Successfully Failure Failed