Hi All,
I'm trying to create a pie chart where i'v 2 search result sets from different condition and different source. But i'm not able to join the result set into one pie chart.
index=A sourcetype=B host=C | rex "pattern1" | chart count(field1) AS result1
index=A sourcetype=B host=C | rex "pattern2" | chart count(field2) AS result2
index=A sourcetype=B host=D | rex "pattern3" | chart count(field3) AS result3
PieChart should represent resullt1, result2, others(resul3 - result1 - result2) out of result3
try this:
index=A sourcetype=B host=C | rex "pattern1" | chart count(field1) AS result1 | append [search
index=A sourcetype=B host=C | rex "pattern2" | chart count(field2) AS result2] | append [search
index=A sourcetype=B host=D | rex "pattern3" | chart count(field3) AS result3] | fillnull
| stats sum(result1) as result1 sum(result2) as result2 sum(result3) as result3 | eval result3=result3-result1-result2 | transpose
try this:
index=A sourcetype=B host=C | rex "pattern1" | chart count(field1) AS result1 | append [search
index=A sourcetype=B host=C | rex "pattern2" | chart count(field2) AS result2] | append [search
index=A sourcetype=B host=D | rex "pattern3" | chart count(field3) AS result3] | fillnull
| stats sum(result1) as result1 sum(result2) as result2 sum(result3) as result3 | eval result3=result3-result1-result2 | transpose
This is perfect. Thanks jitendragupta.
Hi habisht,
you have to use the eval command to discriminate the values, something like this:
index=A sourcetype=B (host=C OR host=D)
| rex "regex<field1>regex"
| rex "regex<field2>regex"
| rex "regex<field3>regex"
| eval result=if(field1="Pattern1","result1","")
| eval result=if(field2="Pattern2","result2",result)
| eval result=if(field1!="Pattern1" OR field2!="Pattern2","result3",result)
| stats count BY result
Bye.
Giuseppe