Adding two aggregated fields
Hello,
I am trying to display sum of the two aggregated fields "sum(DiscoverCountOld)" and "sum(DiscoverCount)" into a separate column instead of those two columns.
_source="src" and _collector="collector"
| parse regex "Finished cataloging (?<DiscoverCountOld>\d+) visits for state " nodrop
| parse regex "Finished cataloging visits: Visit count: (?<DiscoverCount>\d+)" nodrop
| parse regex "Finished submitting (?<SubmitCount>\d+) visits for state CO" nodrop
| parse regex "Finished updating status for (?<UpdateCount>\d+) visits for state CO"
| fields DiscoverCountOld,DiscoverCount,SubmitCount,UpdateCount
| timeslice 1d
| sum(DiscoverCountOld) as VisitsDiscoveredOld,sum(DiscoverCount) as VisitsDiscovered, sum(SubmitCount) as VisitsSubmitted, sum(UpdateCount) as VisitsUpdated group by _timeslice
| fillmissing timeslice(1d)
| sort by _timeslice asc-
Here is the solution I have found in case anyone needs it.
_source="source" and _collector="collector"
| parse regex "Finished cataloging (?<DiscoverCountOld>\d+) visits for state " nodrop
| parse regex "Finished cataloging visits: Visit count: (?<DiscoverCount>\d+)" nodrop
| parse regex "Finished submitting (?<SubmitCount>\d+) visits for state CO" nodrop
| parse regex "Finished updating status for (?<UpdateCount>\d+) visits for state CO"
| timeslice 1d
| sum(DiscoverCountOld) as VisitsDiscoveredOld,sum(DiscoverCount) as VisitsDiscoveredNew, sum(SubmitCount) as VisitsSubmitted, sum(UpdateCount) as VisitsUpdated group by _timeslice
| VisitsDiscoveredOld+VisitsDiscoveredNew as VisitsDiscovered
| fields _timeslice,VisitsDiscovered,VisitsSubmitted,VisitsUpdated
| fillmissing timeslice(1d)
| sort by _timeslice asc
Please sign in to leave a comment.
Comments
1 comment