| makeresults | eval _raw="5am fruit=apple 5am fruit=orange 5am fruit=banana 7am fruit=apple 7am fruit=orange 12pm fruit=orange 12pm fruit=banana" | multikv noheader=t | rex "(?<time>\S+)\sfruit=(?<fruit>.*)" | stats count by fruit time | append [ | makeresults | eval fruit=split("apple,banana,orange",","), time=split("5am,7am,12pm",",") | stats count by fruit time | fields - count ] | fillnull count | stats sum(count) as count by fruit time | sort fruit time | where count = 0 transaction? I don't think it should need.
... View more