hello
I stats events after 2 eventstats command like this
| eventstats sum(netp) as "netp1" by site
| eventstats sum(netp) as "netp2" by site user
| stats last(netp1) as "netp1", last("netp2") as "netp2" by site user
But I know it's not good because I am doing a chart and the sum of netp and the sum of netp2 are not the same because for a same site it may have many user but in my bar chart there is just one user display
the bar in red correspond to netp2 and the bar in blue to ntp2
So the problem is on my bar in blue which has to have the same sum than the bar in red
How to stats events for solving this problem please?
Correct - the red bar represents the count for the site, and the blue bar represents the count for one of the users of the site, so where there are more than one user for a site, you will get multiple sets of bars for the site.
is anybody can help please?
Clearly there are other columns in the chart - what are the x-axis labels for the columns
Also, what do you get if you add this to the search
| stats count by site
the x-axis labels correspond to the site field
When Iam doing | stats count by site I have a count = 1 for almost all the site except 2 sites
For the 2 sites, it just means that there are 2 users concerned instead 1
Are these two sites where there is an issue? Or, do you get the issue for all of the sites?
Most of the time there is just one user for one site
So in this case, my chart is correctly displayed
In red it's the sum count by site and in blue the sum count by user
But if there is more than one user, my chart is wrong
the bar chart for the sum count by site and the sum count by user are always to be the same even if there is more than one user...
So the second and third blue add up to the red in both second and third, and the eighth and nine blue ad up to the red in both eighth and ninth. This is to be expected as both these sites have two users.
so according to you there is no solution to display the bar chart as I need?
Correct - the red bar represents the count for the site, and the blue bar represents the count for one of the users of the site, so where there are more than one user for a site, you will get multiple sets of bars for the site.
If user is null in some of your events they will still be counted as part of netp1 but won't appear in netp2
I am sure it's not the problem
In my example I can see for a same site 2 users with 2 different sum of ntp2
So in my chart the sum of these 2 ntp2 has to be the same than ntp1
but the sum is different because in the bar chart for ntp2 there is just one user
so there is a problem in the way of stats events I think?
Try this
| where isnotnull(user)
| eventstats sum(netp) as "netp1" by site
| eventstats sum(netp) as "netp2" by site user
| stats last(netp1) as "netp1", last("netp2") as "netp2" by site user
it changes anything...
Not sure what you mean by that
If your results are not what you expect, you need to look at your data and figure out what it is about your data that is producing the results you are getting.
For example, if user is a multi-value field, netp2(siteA, userX) + netp2(siteA, userY) could be greater than netp1(siteA)
Try reducing your data set until the inconsistency goes away, then increase it until the inconsistency comes back and have a look at the differences between the two data sets to try and isolate where the difference is coming from.
sorry i dont understand
I share you the search if you can have a look please
https://www.cjoint.com/c/LEnfNGp6MEB
thanks
There doesn't appear to be anything wrong with the search
Therefore, if the results are not as you are expecting, there is a mismatch between your expectations and the data you are dealing with.
Try reducing the data set to a more manageable size to see at what point the outcome matches or doesn't match your expectations
I have done a lot of debuging but I am going to continue again...
Don't you thing we can do the job with a subsearch in order to workaround the issue?
I don't understand what the issue is so I wouldn't know how a subsearch would help or not.
You are overwriting the value of netp in the first eventstats - try changing the order
| eventstats sum(netp) as "netp2" by site user
| eventstats sum(netp) as "netp" by site
| stats last(netp) as "netp", last("netp2") as "netp2" by site user
yes but its just because I have modified the code for the example and I have mistaken...
so in my original code, its not the case
so the root cause of my problem is not due to this...
Please update your question so that it represents your actual issue