Solved: Re: What syntax can I use to run a search that sor...

JyotiP · ‎08-23-2017

I have data for 1 day where I want to sort it with activity like following manner, total number of records took 0-3 sec , total number of records took 3-4 and goes on. Want to present it in one query.

DalJeanis · ‎08-23-2017

There are two basic syntaxes you can use (probably a dozen more, but these two demonstrate the top two in use)

your query here 
| eval mygroup=case(Val_value>=0 AND Val_value<=3,"0.0 to 3.0", 
    Val_value>3 AND Val_value<=4,"3.0+ to 4.0", 
    Val_value>4 AND Val_value<=5,"4.0+ to 5.0", 
    Val_value>5 AND Val_value<=6,"5.0+ to 6.0", 
    true(),"6.0+")

...then your choice of one of these two...

| stats count by mygroup
| chart count by mygroup

stats presents one record per value of mygroup, chart would present them horizontally.

... OR ...

your query here 
| stats count(eval(Val_value>=0 AND Val_value<=3)) as "0.0 to 3.0",
    count(eval(Val_value>3 AND Val_value<=4)) as "3.0+ to 4.0",
    count(eval(Val_value>4 AND Val_value<=5)) as "4.0+ to 5.0",
    count(eval(Val_value>5 AND Val_value<=6)) as "5.0+ to 6.0",
    count(eval(Val_value>6)) as "6.+"

This second version presents them horizontally. If you wanted to change them to vertically, you could do it the other way, or add this afterward...

 | eval junk=1
 | untable junk mygroup count
 | fields - junk

View solution in original post

JyotiP · ‎08-29-2017

@DalJeanis can create a pi chart or graph for the above query ??

DalJeanis · ‎08-23-2017

There are two basic syntaxes you can use (probably a dozen more, but these two demonstrate the top two in use)

your query here 
| eval mygroup=case(Val_value>=0 AND Val_value<=3,"0.0 to 3.0", 
    Val_value>3 AND Val_value<=4,"3.0+ to 4.0", 
    Val_value>4 AND Val_value<=5,"4.0+ to 5.0", 
    Val_value>5 AND Val_value<=6,"5.0+ to 6.0", 
    true(),"6.0+")

...then your choice of one of these two...

| stats count by mygroup
| chart count by mygroup

stats presents one record per value of mygroup, chart would present them horizontally.

... OR ...

your query here 
| stats count(eval(Val_value>=0 AND Val_value<=3)) as "0.0 to 3.0",
    count(eval(Val_value>3 AND Val_value<=4)) as "3.0+ to 4.0",
    count(eval(Val_value>4 AND Val_value<=5)) as "4.0+ to 5.0",
    count(eval(Val_value>5 AND Val_value<=6)) as "5.0+ to 6.0",
    count(eval(Val_value>6)) as "6.+"

This second version presents them horizontally. If you wanted to change them to vertically, you could do it the other way, or add this afterward...

 | eval junk=1
 | untable junk mygroup count
 | fields - junk

JyotiP · ‎08-23-2017

@DalJeanis, thanks for the update, let me try and will post my result

JyotiP · ‎08-23-2017

Currently I have separate query as follows :
query 1 : where Val_value>=0 AND Val_value<=3 | stats count
query 2 : where Val_value>=3.1 AND Val_value<=4 | stats count
query 3 : where Val_value>=4.1 AND Val_value<=5 | stats count
query 4 : where Val_value>=5.1 AND Val_value<=6 | stats count
So I want to merge the above request into 1 query. How to do it ?

What syntax can I use to run a search that sorts varying runtimes?

.conf23 | Get Your Cybersecurity Defense Analyst Certification in Vegas

Starting With Observability: OpenTelemetry Best Practices

Streamline Data Ingestion With Deployment Server Essentials