Hi guys,
I need to do add enter 2 different fields under the same function. The first is with an ACResponse specific and i need to respect this function because I will take more information I want just different ACReponse 200
| stats list(ACResponse) as ACResponse by OCId
| search ACResponse!="*200*"
|eval ACResponse=mvjoin(ACResponse,";")
| stats count(ACResponse)
But i need to research too result Workflow="debordement_*"
, ACresponse for debordement doesn't exist (null) and add to the first result :
search:
Workflow="debordement_*"
|stats dc(OCId)
I tried with that but the result is null .. Can you tell me what is wrong please and help me if you know how.
Workflow="*tsr*" OR "go_choix_1*"
|stats count(OCId)
| where Workflow="debordement_*"
[| stats list(ACResponse) as ACResponse by OCId | search ACResponse!="*200*"|eval ACResponse=mvjoin(ACResponse,";")| stats count(ACResponse) as ACResponse]
Thanks for your answers.
Right now your search is doing nothing but counting the unique values of OCId
which can be done like this:
... | stats dc(OCId)
Alright... I THINK I understand what you're trying to do. Maybe.
I think you're trying to join two searches based on a common field.
If that's the case, try something like this:
YourSearch Workflow="*tsr*" OR "go_choix_1*"
| eval ACResponse=mvjoin(ACResponse,";")
| search ACResponse!="*200*"
| join OCId type=outer
[ AnotherSearch Workflow="debordement_*"
| stats count by OCId]
| stats list(ACResponse) AS ACResponse, dc(ACResponse) AS ACResponse_dcount by OCId
You're doing a few different things with the stats functions in your searches, so I'm not sure exactly what your expected output is. You might need to explain a little more. Otherwise, I hope that helps.
Yes, I want add this 2 differents search for give a unique number. Currently I can find every two but regardless and I want regroup for have A + B.
I try with your solution but I find only responses different of 200 and not the call by the Workflow "debordement_*"
1. MySearch Workflow="*tsr*" OR "go_choix_1*"
2. | stats list(ACResponse) as ACResponse by OCId
3. | search ACResponse!="*200*"
4. | eval ACResponse=mvjoin(ACResponse,";")
5. | join OCId type=outer [ search Workflow="debordement_*"
6. | stats count by OCId]
7. | stats list(ACResponse) AS ACResponse, dc(ACResponse) AS ACResponse_dcount by OCId
8. | stats count(ACResponse_dcount )