Hi,
I want to count how often a Specific field let's call it x is inside a file.
The reason is to follow the flow.
Therefore i use the transaction function to have one file per flow.
Afterwards the file is for example like:
x=a y=yxd z=asdfa x=b x=c
I want now count how often x is in the file and when x is more then once in a file i want to see the results behind the x=
| chart values(x) by file
...might do it.
Thank's for that answer but this is just part of the answer after having that i want to see all the parts in detail where x is more than once in a file
stats values(x) As variable by ID| stats count(variable) As VARIABLE by ID | where VARIABLE> 1
After that I wanted to make the values(x) command to see the results but it won't show me the different x versions per ID
The question is how can I see in the results table the different x=... x=... versions
Just make sure that the 'file' is actually a single file, if that is your requirement. Normally, events are not really seen as part of a particular file, unless the application creating the file has some naming scheme, e.g. app_log-yyyy-mm-dd.log
. That file name would then be found in the source
field.