So if I want a count of every time "y" shows up with "z", put it in groupby; if it is possible for "z" to have multiple values of "y" in the same or multiple events AND I'm okay with showing those multiple values of "y" in the same row for each unique "z," then use values(y) at the beginning. Is that right?
Let's say I change the values(y) to sum(y) (think bytes in a traffic log). Then instead of showing all the different numbers in the "values(bytes)" cell, I would have a cell with the sum of all the numbers. That cell would be for every instance of "z." If I change groupby to "a, b, z" then every possible combination of those 4 values would show up with a sum. Right?
let's say each of those could be 1 or 2, this would be the possibilites:
a b z
1 1 1
1 1 2
1 2 1
1 2 2
2 1 1
2 1 2
2 2 1
2 2 2
(I may have missed one or two possibilities)
So for every time there is an event where a, b & z are 1, it would add up the total of the field "bytes" and we would have one line telling us 1,1,1,sum(bytes). And we keep going.
Do I have it?
And there would not be much reason to put "bytes" in the groupby field from what I can tell.
... View more