Hi guys,   i have the following query that produces table below   index=core_ct_report_* | eval brand=case(like(report_model, "cfg%"), "grandstream", like(report_model, "cisco%"), "Cisco", like(report_model, "ata%"), "Cisco", like(report_model, "snom%"), "Snom", like(report_model, "VISION%"), "Snom", like(report_model, "yealink%"), "Yealink", 1=1, "Other") | stats count by fw_version,report_model,brand | table brand report_model fw_version count |sort report_model, count desc In this table i want to group the rows with the same value in report_model column, i use stats values() to achive that as follows index=core_ct_report_* | eval brand=case(like(report_model, "cfg%"), "grandstream", like(report_model, "cisco%"), "Cisco", like(report_model, "ata%"), "Cisco", like(report_model, "snom%"), "Snom", like(report_model, "VISION%"), "Snom", like(report_model, "yealink%"), "Yealink", 1=1, "Other") |stats count by fw_version,report_model,brand | stats values(brand) as brand values(fw_version) as fw_version values(count) as count by report_model |table brand report_model fw_version count   but with this query the count is also grouped, on 6th row there are count values missing, the count missing has the value 1 so only one '1' is showed. i can't remove count from stats values() or the count values doesn't appear in final table. What i'm doing wrong?   Thanks in advance for your help.   ... View more

Hi,   i have the following case, An operation has multiple events and every event of an operation is related by field PushId. Below the events of one operation (underlined necessary fields) 13:14:03,838;04-08-2023 13:14:03.838;;SMS;33786543;iOS;001452c7-9f80-4215-87b5-a20b00e3c4fd;;;0;OK 13:09:31,150;04-08-2023 13:09:31.133;;SEND_PUSH_APNS;33786543;ios;001452c7-9f80-4215-87b5-a20b00e3c4fd;This is a Title;This is the Body.;17;OK;null 13:09:31,131;04-08-2023 13:09:31.102;;NON_SILENT_PUSH;33786543;;001452c7-9f80-4215-87b5-a20b00e3c4fd;This is a Title;This is the Body..;29;OK;null 01:23:52,652;04-08-2023 01:23:52.519;10.129.150.86;SEND_PUSH_REQUEST;33786543;ios;001452c7-9f80-4215-87b5-a20b00e3c4fd;This is a Title;This is the Body.;133;OK;29a6c9e8-d731-47b4-81b9-6748596c4138 I want to count by every PushID (001452c7-9f80-4215-87b5-a20b00e3c4fd in this case) the Number of requests equal to SEND_PUSH_REQUEST, ACK and SMS. With this counts do a table including Title and Body, For this particular case, should look like, Title | Body | Requests (SEND_PUSH_REQUEST) | ACK | SMS This is a Title | This is the Body | 1 | 0 | 1   for counts i'm ok with below queries index=vfpt_idx_gssm_mbe PushId=001452c7-9f80-4215-87b5-a20b00e3c4fd | stats count(eval(Request="SEND_PUSH_REQUEST")) as request , dc(eval(Request="ACK")) as ack , count(eval(Request="SMS")) as sms by PushId, Title, Body | table Title Body request ack sms the problem is isn't show the correct count for SMS because is Title and Body is not on all events index=vfpt_idx_gssm_mbe PushId=001452c7-9f80-4215-87b5-a20b00e3c4fd | stats count(eval(Request="SEND_PUSH_REQUEST")) as request , dc(eval(Request="ACK")) as ack , count(eval(Request="SMS")) as sms by PushId | table Title Body request ack sms With this query, counts are ok but table is not showing Title and Body.   I'm stuck here and i don't know how to relate the counts with fields Title and Body on a table.   Thank you ... View more

Hi,   i have a field with the models, like below, and with this info i want to define a new field like brand. i tried different approaches but can't get brand field populated, below a test search with different case, none works but where clause works well.   index=core_ct_report_* | where (report_model = "cfgHT802") | eval brand=case(report_model=cfgHT802, grandstream) | eval brand2=case(like(report_model, cfgHT802), grandstream) | eval brand3=case(like(report_model, "cfg%"), grandstream) | table report_model brand brand2 brand3 what is wrong? What i need is something like this, | eval brand3=case(like(report_model, "cfg%"), grandstream, ...) Thanks, ... View more