Hello,
I am attempting (unsuccessfully so far) to display multiple date_wday values in a single table column.
My search checks for errors over a 7 day period. There are errors that occur on multiple days or may only occur after a certain day (in the case of application updates etc).
My end aim is to produce table that has the error and the days that the error occurred on.
<Search> | table error dayserroroccurredon
++Output++
ERROR XXXXX Mon, Tues, Wed
ERROR XXXXX Wed, Thursday
I have tried various appends but none give me the result I want and simply put each day on a new line
Is there away to combine the day values into a single field that can then be outputted to a table ?
Any help or advise will be greatly appreciated.
Cheers,
Alastair
It is hard to be sure without more detail but perhaps this:
... | stats values(date_wday) AS dayserroroccurredon BY error | nomv dayserroroccurredon
The stats
command creates a multivalued
field and the nomv
command merges all the values into a single whitespaced conglomerated value.
It is hard to be sure without more detail but perhaps this:
... | stats values(date_wday) AS dayserroroccurredon BY error | nomv dayserroroccurredon
The stats
command creates a multivalued
field and the nomv
command merges all the values into a single whitespaced conglomerated value.
Works a treat.. thank you.
Now just to work out how to get the count of the number of times the error occurred.
Thank you... I ended up adding
stats values(date_wday) AS dayserroroccurredon count(errortype) AS errCount BY errortype but I prefer your way as it is neater and easier to understand.
Cheers and thanks again for your help
Like this:
... | stats count values(date_wday) AS dayserroroccurredon BY error | nomv dayserroroccurredon