HI,
While use chart command i am getting null values for status in search and the same in dashboard i do not see in the panel. I am trying to get distinct count of run_id for each values(col1,col2,col,3...)
This i am seng in the search head.
| Name |
col1 |
col2 |
col3 |
col4 |
| abc123 |
21 |
40 |
|
|
| xyz789 |
35 |
50 |
|
|
In Dashboard, panel shows below table missing with col3 ans col4
| ID |
col1 |
col2 |
| abc123 |
21 |
40 |
| xyz789 |
35 |
50 |
Search Query:
index=xyz sourcetype=abc event_name=test earliest=@d
| fields - _raw
| eval TIME=strftime(strptime(timestamp,"%Y.%m.%d"),"%F")
| fields app_name event_name TIME values Id
| search name=* values="col1" OR values="col2" OR values="col3" OR values="col4"
| chart dc(run_Id) OVER name by values
| fields "APP NAME" col1 col2 col3 col4
And also i want to add one new column:
some thing count(Id) as ID_Count by time
I tried usenull, useother, fillnull, none worked.
