Hello,
im looking for a possibility to create a multivalue field from the result list of a subsearch and work with the new field in main search.
Like this:
sourcetype = log [search sourcetype = log|where clause|stats values(Tickets) as NewTickets | fields + NewTickets] | table NewTickets
Is it possible to do something like that?
Greetings
Okay, so something like this?
sourcetype=log additional filters go here | chart count over TicketState by Day
Okay, so something like this?
sourcetype=log additional filters go here | chart count over TicketState by Day
That search is now the answer so feel free to accept.
Thank you that is what i was looking for but I changed
|chart count over... to | chart count(Tickets) over...
Can you write an answer that I can vote?
Ok this are some samples how events look like:
Ticket: 2014040310140326 Day: 2014-04-03 TicketState: new
Ticket: 2014040310150426 Day: 2014-04-05 TicketState: closed
Out of such kinds of events I extract my fields like I discribed aboth.
Well, without sample data I'm stuck with guessing what your data looks like. If you'd post some samples...
I dont think thats possible in my case.
With the sourcetype = log i get a event list where each event accords to one Ticket. So each event has one Ticktnumber, a ticket state like (open,closed...) and a day. I have already extracted the fields "tickets" with all ticketnumbers, field "day" with all days, and field "ticketstate" with 4+ states. I think now i need to create a field "close" with all closed ticketnumbers and other fields for the other states. Then:
search with or without subsearches | chart count(open) count(close)... by day
as line chart
Hope that was a better explanation.
Something like this?
sourcetype=log additional filters go here | chart count over Tickets by Day
Waht I want to do is this:
I have extracted a field called Tickets, which includes all kind of ticktes like open, closed...
Now I want to split the ticktes field values with 4 different (sub)searches into 4 fields("open", "closed"...)
My expected result is a line chart with 4 lines, where each line is the number of values for one kind of ticket. And it should be grouped by a field called Day.
Thanks for the help.
Could you explain what you're trying to achieve using natural language, sample data, and expected results?
I'm not quite able to grasp those from your attempted search.