I'm aggregating some values via 'chart list(value) as jobs by something' and then later on I want to produce a table that puts every value of 'jobs' into a single row. For example my query is
index=main | fields counter, job | dedup job, counter | chart list(job) as jobs by counter
and my output is something like
---------------------
| counter | job |
|-------------------|
| counter1 | job11 |
| | job12 |
| | job13 |
| ------------------|
| counter2 | job21 |
| | job22 |
---------------------
and later on I do the following postprocess:
search counter="counter2" | table jobs
And I get the following response
---------
| job |
| ------|
| job21 | (row1)
| job22 |
---------
I would like to get this response:
---------
| job |
|-------|
| job21 | (row1)
|-------|
| job22 | (row2)
---------
I.e. I would like the resulting table to print every value of the 'jobs' list into a separate row of the table but the above command just gives me one row with all the list's values in it. Is there a way to do something like this?
Looks like the command I was looking for was mvexpand so it would be something like:
search counter="counter1" | table jobs | mvexpand jobs
Looks like the command I was looking for was mvexpand so it would be something like:
search counter="counter1" | table jobs | mvexpand jobs
In general, you should avoid the list()
function, and just do the original query as:
index=main | stats count by counter, job | fields - count
the fields
and dedup
are unnecessary and redundant, as chart
or stats
does that anyway.
I wanted to do something like you suggested by I need the deduped values of 'counter' to be put into a dropdown menu.