Solved: Re: count problem

keyu921 · ‎05-25-2020

I have following data
email|country|license
aa|HK|365E1
bb|US|365E2
cc|HK|non-office
dd|HK|non-office
ee|UK|non-office

I would like to got bar chart that values of adopted (365E1+365E2) and non-adopted and count by country

base_search
| chart dc("email") AS Count over country by license

gcusello · ‎05-26-2020

Hi @keyu921,
you should find a way to identify adopted and non adopted and use this rule in an eval command, like the one:

base_search
| eval kind=if(license="non-office","non adopted","adopted")
| chart dc("email") OVER kind BY license

Ciao.
Giuseppe

View solution in original post

gcusello · ‎05-26-2020

Hi @keyu921,
you should find a way to identify adopted and non adopted and use this rule in an eval command, like the one:

base_search
| eval kind=if(license="non-office","non adopted","adopted")
| chart dc("email") OVER kind BY license

Ciao.
Giuseppe

keyu921 · ‎05-26-2020

After I review the data, I got 30 license type, I want to keep 365E1 and 365E2 for adopted and others are non-adopted
How can I eval like?
| eval kind=if(license!="%OFFICE 365%","non adopted","adopted")
| chart dc("email") OVER kind BY country

keyu921 · ‎05-26-2020

thank you i got the diagram expected after modify some query

count problem

chart

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor