I found out how to do it by myself, for future reference:
first i filter all the fields that are interesting to me (the a_* fields), than via sum(*) as * a sum is built over every field in the result set with the name of the field as the column, hence the as * part.
index=foo | fields + a_* | stats sum(*) as *
this leaves us with a result in the form
a_foo a_bar a_baz
16 8 24
if we now want to do a pie chart over the result strange things happen as the pie chart only takes the values of the first columns into acount, this can be easily mitigated via transpose :
index=foo | fields + a_* | stats sum(*) as * | transpose
the result now is:
a_foo 16
a_bar 8
a_baz 24
for my use case this is perfectly fine, one could additionally to a rename if necessary
if instead of a stat a timechart is required, the following approach works:
like in the stat version filter the fields by a_* , via the table format the order of the columns is changed as for a timechart the _time field has to be the first column. the subsequent timechart command than groups via sum(*) as * like in the stats example
index=foo | fields + a_* | table _time * | timechart span=10m sum(*) as *
... View more