Hi all, currently I'm using a search which returns results similar to this for each event I.E March April May etc..., where the second occurrence of march in this case gives me the totals for install and MM.
I was wondering if there was anyway that i set up up my search so that the second occurence of the group name will read as "totals" or something similar.
Here is the part of my search that gives me this table format, and as always thank you for the help.
| table Group, Bundle, Installs, Build, MM, |appendpipe [| stats sum(Installs) as Installs sum(MM) as MM by Group ] |sort Group
Group Bundle Installs MM
March 1a 3 50
2a 2 20
3a 5 10
March 10 80
Try:
| table Group, Bundle, Installs, Build, MM, | sort Group | appendpipe [| stats sum(Installs) as Installs sum(MM) as MM by Group | eval Group="Totals" ]
Try:
| table Group, Bundle, Installs, Build, MM, | sort Group | appendpipe [| stats sum(Installs) as Installs sum(MM) as MM by Group | eval Group="Totals" ]
It does work, however it renames every field under group I would like to limit it to only renaming the second occurrence of that field value so for example turning this -
Group Bundle Installs MM
March 1a 3 50
2a 2 20
3a 5 10
March 10 80
Into this
Group Bundle Installs MM
March 1a 3 50
2a 2 20
3a 5 10
Totals 10 80
Thank you
Every Group value said "Totals"? Did you do perform the eval inside the appendpipe only? If sorting is just being lost, we can preserve its "real" group by creating another field using eval and then sorting on that.
Sorry yes it did work, It just slipped my mind to put the command into the appendpipe, and for the sorting issue you mean basically leaving the "Real" group in the background so it can sort by that but display the "Totals" label?
Yes, exactly. I think it'd look something like this for your search:
| table Group, Bundle, Installs, Build, MM, | eval Sorter=Group | appendpipe [| stats sum(Installs) as Installs sum(MM) as MM by Group | eval Sorter=Group | eval Group="Totals" ] | sort -Sorter | fields - Sorter
The sort should stay in place since we are removing the Sorter field after it has already been applied by the sort command.
Either way, let me know how you make out. 🙂
That worked wonderfully, thank you!