Hello,
I am trying to bring back a set number of fields in a query even if that field isn't in the indexed data. For example, my data could have a field called Status. Status could be one of 3 values a, b, or c. My data only happens to have a and b with no c. I want my queries to always bring back count values for a, b, and c with 0 for any field value that's not in the current data. Is this possible?
Yes it's possible, you can use the eval command under the count, it will only count if it matches a set outcome, here's a sample:
source="some source" | stats count(eval(Status="a")) as Name_of_field_A count(eval(Status="b")) as Name_of_field_B count(eval(Status="c")) as Name_of_field_C
The above will always return the 3 fields and will stay at 0 till they encounter a match on the status field. Is that what you're looking for?
Yes it's possible, you can use the eval command under the count, it will only count if it matches a set outcome, here's a sample:
source="some source" | stats count(eval(Status="a")) as Name_of_field_A count(eval(Status="b")) as Name_of_field_B count(eval(Status="c")) as Name_of_field_C
The above will always return the 3 fields and will stay at 0 till they encounter a match on the status field. Is that what you're looking for?
That's exactly what I'm looking for thanks!
Could you share your exact search?