hello
I use the search below which works fine
`fiability`
| fields host Logfile SourceName ProductName SITE DEPARTMENT RESPONSIBLE_USER
| search Logfile=Application AND (SourceName="Application Hang" OR SourceName="Application Error")
| search (ProductName=*)
| stats last(SITE) as SITE, last(DEPARTMENT) as DEPARTMENT, last(RESPONSIBLE_USER) as RESPONSIBLE_USER, count(eval(SourceName="Application Error")) as "Number of Errors", count(eval(SourceName="Application Hang")) as "Number of Hang", count as "Number of crashes" by ProductName
| rename ProductName as Product
| sort -"Number of crashes"
The problem I have is in my xml file because I use token filters on DEPARTMENT and RESPONSIBLE_USER fields
Since I just use a stats by ProductName, the RESPONSIBLE_USER related to the ProductName is just the last RESPONSIBLE_USER of the productName and not all the RESPONSIBLE_USER for a specific ProductName
So when I use the token for the RESPONSIBLE_USER in my dashboard, it doesn't reflect the exact reality
And if I do a stats by ProductName RESPONSIBLE_USER it's not good because I have many count for a same ProductName
What I need is to have a single count for a same ProductName and in the same time having all the ProductName count for a same RESPONSIBLE_USER (it means something else than the last RESPONSIBLE_USER for a ProductName...)
Could you help me please?
| loadjob savedsearch="admin:XXXX:YYYYY"
| where isnotnull(mvfind(RESPONSIBLE_USER, $tok_filterresponsible|s$)))
mvfind looks in the multi-value field for the given string. If successful, it returns an index into the field; otherwise, it returns NULL.
Use the values function of stats to get all values of RESPONSIBLE_USER
...
| stats last(SITE) as SITE, last(DEPARTMENT) as DEPARTMENT, values(RESPONSIBLE_USER) as RESPONSIBLE_USER, count(eval(SourceName="Application Error")) as "Number of Errors", count(eval(SourceName="Application Hang")) as "Number of Hang", count as "Number of crashes" by ProductName
...
.
I have already done this and it works if I put the token before the stats command
| search ProductName="browser_*" AND RESPONSIBLE_USER=*ABCDE*
| stats last(SITE) as SITE, values(DEPARTMENT) as DEPARTMENT, values(RESPONSIBLE_USER) as RESPONSIBLE_USER, count(eval(SourceName="Application Error")) as "Number of Errors", count(eval(SourceName="Application Hang")) as "Number of Hang", count as "Number of crashes" by ProductName
but.....
For this search, I use a scheduled search
So it means that I use my filter token after the loadjob command
| loadjob savedsearch="admin:XXXX:YYYYY"
| search RESPONSIBLE_USER=$tok_filterresponsible|s$
And in this case I am unable to filter on the good RESPONSIBLE_USER....
The values function may produce a multi-value field that requires using the mvfind function to search.
| loadjob savedsearch="admin:XXXX:YYYYY"
| where isnotnull(mvfind(RESPONSIBLE_USER, $tok_filterresponsible|s$)))
mvfind looks in the multi-value field for the given string. If successful, it returns an index into the field; otherwise, it returns NULL.