Hi,
I have one problem here.
I need to create a search with 2 groups, and create a chart with result.
Example, my search :
index=inc_ group="Ti" OR group="Support" OR group="admin" OR group="helpdesk" | stats count(eval(match(group,"TI,Support"))) AS Operation , count(eval(match(Grupo,"admin,helpdesk"))) AS Administrative
How create a graph with this query?
I try using | timechart count by Operation|Administrative but i not have success
Help 😞
You can split your search in 2 searches and append them together. Try something like that (after correcting your typos):
index=inc_ group="Ti" OR group="Support" OR group="admin" OR group="helpdesk" | stats count(eval(match(group,"TI,Support"))) AS "Operation" by _time | append [search index=inc_ group="admin" OR group="helpdesk" | stats count(eval(match(group,"admin,helpdesk"))) AS "Administrative" by _time] | stats values("Operation"), values("Administrative") by _time
So did the search gave you the result?
|Timechart Operation,Administrative
Sorry linu1988!
It's a error in my digitation
The search is:
count(eval(match(group,"TI,Support"))) AS Operation , count(eval(match(group,"admin,helpdesk"))) AS Administrative
You can split your search in 2 searches and append them together. Try something like that (after correcting your typos):
index=inc_ group="Ti" OR group="Support" OR group="admin" OR group="helpdesk" | stats count(eval(match(group,"TI,Support"))) AS "Operation" by _time | append [search index=inc_ group="admin" OR group="helpdesk" | stats count(eval(match(group,"admin,helpdesk"))) AS "Administrative" by _time] | stats values("Operation"), values("Administrative") by _time
I can't test it right now, but if you remove "by _time" everywhere in the search, it should give you the count for Operation and the count Administrative, so that you just have to create a report and select pie chart.
Thx bro! Perfect!!
I have one more question about this topic, how to add values in one pie graph? It's possible? Ex : Operation vs Administrative
count(eval(match(Grupo,"admin,helpdesk"))) in the part
"Grupo" is a field or a typo error in the search?
And i suppose Operation/Administrative are fields!!! You should put |Timrchart Operation,Administrative