Solved: Combining Two Columns to Chart 3rd for Root Cause

AlexMcDuffMille · ‎10-17-2013

I have a log that outputs a table every day of issues that occur between two parties. I'm able to split the output table into individual events so that I can graph the NumberofIssues by Party1 or Party2, but what I'm really looking for is the root cause, the 'common denominator'. I would like to show which party is the real one causing issues. I would like to graph the total NumberofIssues that any party is involved with regardless if it is listed under 'Party1' or 'Party2'.

An example of my data is:

Party1,Party2,NumberofIssues

A, D, 100

B, D, 200

C, D, 300

D, B, 400

E, A, 2

F, C, 3

Desired outcome:

A=102

B=600

C=303

D=1000

E=2

F=3

So now I would be able to make a column chart and easily spot that D is causing all sorts of issues.

Thank you!

lguinn2 · ‎10-17-2013

Try this:

yoursearchhere
| eval Party = Party1 + "," + Party2
| makemv delim="," Party
| mvexpand Party
| stats sum(NumberOfIssues) as Total by Party
| sort -Total

View solution in original post

lguinn2 · ‎10-17-2013

Try this:

yoursearchhere
| eval Party = Party1 + "," + Party2
| makemv delim="," Party
| mvexpand Party
| stats sum(NumberOfIssues) as Total by Party
| sort -Total

aholzer · ‎10-17-2013

You may want to try to split the data into two sets and run a join on them. Something like this:

You may need to use a full outer join rather than a simple join. But this should get you started.

Hope this helps

Combining Two Columns to Chart 3rd for Root Cause