Hello -
A version of the following query gives me just what I'm looking for (although a much larger chart):
index="foo" search_text | chart count by result version
returns something like
|v1.1|v1.2|v1.3|v1.4|
| A |1823| 283| 12| 941|
| B | 923| 23| 2| 193|
| C | 810| 74| 1| 324|
| D |1192| 2| 6| 90|
The one thing I still need to do is to filter out entire columns based on an arbitrary value (say, the count of A for a particular version is less than 100). For example, v1.3 has only 12 instances of result 'A', so this chart should only show columns for v1.1, v1.2, and v1.4.
Any tips?
Thanks!
Assuming you want this procedure to be fully automated, you can do something like:
index=foo search_text
| stats count by result version
| eventstats sum(count) as version_count by version
| search version_count > 100
| chart sum(count) by result version
This filters out columns whose column sum is > 100.
If you really mean just count of result=A, version=* > 100, then it's better to use a subsearch:
index=foo search_text [search index=foo search_text result=A
| stats count by version
| search count > 100
| fields version
]
| chart count by result version
Assuming you want this procedure to be fully automated, you can do something like:
index=foo search_text
| stats count by result version
| eventstats sum(count) as version_count by version
| search version_count > 100
| chart sum(count) by result version
This filters out columns whose column sum is > 100.
If you really mean just count of result=A, version=* > 100, then it's better to use a subsearch:
index=foo search_text [search index=foo search_text result=A
| stats count by version
| search count > 100
| fields version
]
| chart count by result version
This worked perfectly, thanks! I'd previously tried the subsearch approach, but since I'm actually searching through a few hundred million records, the subsearch would always time out; the eventstats approach was just the trick.