I seem to have tied myself in a knot.
I have data similar to:
h1 h2 h3 h4
a 12 123 231
a 32 45 678
b 43 56 78
What I want is a chart of the totals for h2, h3 and h4, it's probably stunningly easy but for the life of me I can't get it.
thanks.
I managed to get what I want with the below in the end, is there a more compact solution?
| chart sum(h1) as Hour1 sum(h2) as Hour2 sum(h3) as Hour3 sum(h4) as Hour4 ....... by extract_date
What's your whole query?
not much else to it just pulling the data from an index:
index=my_index sourcetype=mysrc Database=ABC* extract_date=12/11/20| chart sum(h1) as Hour1 sum(h2) as Hour2 sum(h3) as Hour3 sum(h4) as Hour4 ....... by extract_date
What is the meaning of your compact?
If it's fast, there shouldn't be any problem.
|makeresults | eval _raw="h1 h2 h3 h4 a 12 123 231 a 32 45 678 b 43 56 78" | multikv forceheader=1 | table h* | fillnull total | rename h1 as _h1 | foreach h* [eval total=total+<<FIELD>>] | stats sum(total) as total by _h1 | rename _h1 as h1
I'm not sure what you want. but how about this?
