I need a table that looks like a chart containing multiple 'by' values.
sample output:
time_bin, farmName, errorCount
12:05 , farmOne , 7
12:05 , farmTwo , 6
12:10 ,farmOne ,8
So far I'm doing this:
index=prod-* sourcetype=fruits msg="ripened*" |
bin _time span=5m |
eval error = if(like(sev,"ERROR"),1,null) |
eval warn = if(like(sev,"WARN"),1,null) |
eval info = if(like(sev,"INFO"),1,null) |
eval farm = case(
like(index,"%farm1"),"farmOne",
like(index,"%farm2"),"farmTwo",") |
stats values(farm), count(errors) by _time
This mostly gets me what I want, except I get a multi-value field for farm. So I get
12:05 , farmOne FarmTwo, 13 instead of what I want.
what am I missing?
You can try stats by _time and farm to separate it by _time and with farm name like:
...|stats values(farm), count(errors) by _time farm
if this wont work then try below:
...|makemv farm|mvexpand farm
You can try stats by _time and farm to separate it by _time and with farm name like:
...|stats values(farm), count(errors) by _time farm
if this wont work then try below:
...|makemv farm|mvexpand farm
who knew by would accept two terms separated by a space. Thanks!