1 Solution
I think using eventstats can get you the desired output you are looking for if I am interpreting your question correctly.
<base_search>
| eventstats
sum(eval(case('ProductCategory'=="productcat1", 'Sales Total'))) as productcat1,
sum(eval(case('ProductCategory'=="productcat2", 'Sales Total'))) as productcat2
Or for a more dynamic approach something like this may work.
<base_search>
| eventstats
sum("Sales Total") as overall_sales
by ProductCategory
| eval
overall_sales_json=json_object("fieldname", 'ProductCategory', "value", 'overall_sales')
| eventstats
values(overall_sales_json) as overall_sales_json
| foreach mode=multivalue overall_sales_json
[
| eval
fieldname=spath('<<ITEM>>', "fieldname"),
field_value=spath('<<ITEM>>', "value"),
combined_json=if(
isnull(combined_json),
json_object(fieldname, field_value),
json_set(combined_json, fieldname, field_value)
)
]
| fromjson combined_json prefix=dynamic_
| fields - combined_json, overall_sales_json, fieldname, field_value, overall_sales
``` Below code is if you only want the new fields on the first row ```
| streamstats
count as line_number
| foreach dynamic_*
[
| eval
<<FIELD>>=if(
'line_number'==1,
'<<FIELD>>',
null()
)
]
| fields - line_number
| rename
dynamic_* as *
I think using eventstats can get you the desired output you are looking for if I am interpreting your question correctly.
<base_search>
| eventstats
sum(eval(case('ProductCategory'=="productcat1", 'Sales Total'))) as productcat1,
sum(eval(case('ProductCategory'=="productcat2", 'Sales Total'))) as productcat2
Or for a more dynamic approach something like this may work.
<base_search>
| eventstats
sum("Sales Total") as overall_sales
by ProductCategory
| eval
overall_sales_json=json_object("fieldname", 'ProductCategory', "value", 'overall_sales')
| eventstats
values(overall_sales_json) as overall_sales_json
| foreach mode=multivalue overall_sales_json
[
| eval
fieldname=spath('<<ITEM>>', "fieldname"),
field_value=spath('<<ITEM>>', "value"),
combined_json=if(
isnull(combined_json),
json_object(fieldname, field_value),
json_set(combined_json, fieldname, field_value)
)
]
| fromjson combined_json prefix=dynamic_
| fields - combined_json, overall_sales_json, fieldname, field_value, overall_sales
``` Below code is if you only want the new fields on the first row ```
| streamstats
count as line_number
| foreach dynamic_*
[
| eval
<<FIELD>>=if(
'line_number'==1,
'<<FIELD>>',
null()
)
]
| fields - line_number
| rename
dynamic_* as *
