I have a field cat which may display multiple fields of varying count FFIEC, GLBA, PPI or just PPI so there is no set count to the multivalue fields. I am attempting to count the number of times each unique value appears and graph it over time. My query is as follows:
my query | eval Policies=split(cat,";") | timechart span=1h count by Policies
My problem is that when the line chart is displayed there can be multiple lines for a Policy value. For example if the multivalue field returns 3 instances as follows
FFIEC; GLBA; PPI
PPI
PPI
FFIEC; GLBA; PPI
My line values would display PPI = 2 FFIEC = 2 GLBA= 2 PPI = 2
What I am hoping to achieve is PPI=4 FFIEC=2 GLBA=2
Can anyone identify the part of my query I have wrong?
... View more