index=ABC sourcetype="stalogmessage"
| fields _raw
| spath output=statistical_element "StaLogMessage.StatisticalElement"
| spath output=statistical_subject "StaLogMessage.StatisticalElement.Sta...
See more...
index=ABC sourcetype="stalogmessage"
| fields _raw
| spath output=statistical_element "StaLogMessage.StatisticalElement"
| spath output=statistical_subject "StaLogMessage.StatisticalElement.StatisticalSubject"
| fields - _raw
| mvexpand statistical_element
| mvexpand statistical_subject
| spath input=statistical_element output=statistical_item "StatisticalItem"
| spath input=statistical_item output=StatisticalId "StatisticalId"
| spath input=statistical_item output=Value "Value"
| spath input=statistical_subject output=SubjectType "SubjectType"
| where SubjectType="ORDER_RECIPE"
| stats count by StatisticalId Value SubjectType _time
| lookup detail_lfl.csv StatisticalID as StatisticalId SubjectType as SubjectType OUTPUTNEW SymbolicName
| mvexpand SymbolicName
| where SymbolicName="UTILISATION"
| strcat "raw" "," SymbolicName group_name
| stats min(Value) AS min_value, max(Value) AS max_value, sum(Value) AS sum_value, count AS count BY SymbolicName group_name StatisticalId _time
| eval min_value=coalesce(min_value,value), max_value=coalesce(max_value,value), sum_value=coalesce(sum_value,value), count=coalesce(count,1)
| fields StatisticalId min_value max_value sum_value count group_name _time
| dedup StatisticalId _time group_name
| fields - _virtual_ _cd_
| fillnull value=""
| timechart span=1h minspan=3600s eval(round(min(min_value),2)) AS "Minimum", eval(round(max(max_value),2)) AS "Maximum", eval(round(sum(sum_value),2)) AS summed, eval(round(sum(count),2)) AS counted
| eval "Average" = round(summed/counted, 2)
| fields - summed counted As I am using above query to visualize the graph in Maximum , minimum and average. But my values are looking different. Expected result I want : @bowesmana Please help me what I need to fix in the query to achieve expected results.