index=a host="b" source="0*_R_S_C_ajf" OWNER=dw*
|eval ODate=strptime(ODATE,"%Y%m%d")
|eval ODATE=strftime(ODate,"%Y-%m-%d")
| eval TWIN_ID=substr(JOBNAME,7,2)
|search ODATE="2022-07-13" TWIN_ID="CH"
| xyseries TWIN_ID STATUS APPLIC
|fillnull value="0"
when i select TWIN_ID="CH" it is showing 3 counts but actuall count is 73.I think xyseries is removing duplicates can you please me on this
my output is
CH | DW_tz | DW_l6 | DW_1b |
cH | 0 | 0 | rs_rc |
ch | 0 | DW_dwscd | DW_dwscd |
Try list rather than values
index=a host="b" source="0*_R_S_C_ajf" OWNER=dw*
|eval ODate=strptime(ODATE,"%Y%m%d")
|eval ODATE=strftime(ODate,"%Y-%m-%d")
| eval TWIN_ID=substr(JOBNAME,7,2)
| chart list(APPLIC) as APPLIC over TWIN_ID by STATUS
|mvexpand N
|fillnull value="0"
Hello @ITWhisperer
Thanks for reply
I tried the list but still i am getting duplicates
TWIN_ID N VALUE Y
CH | DW_i6 DW_dx DW_bp DW_o9 DW_sb DW_tz DW_o6 DW_tz | DW_ed DW_h6 DW_zp DW_bl DW_c1 DW_v2 DW_zp DW_o4 DW_o3 DW_o5 DW_ed DW_ed DW_zp DW_w6 DW_d6 DW_ec DW_t6 DW_eb DW_t1 DW_d6 DW_w6 | DW_v2 |
when to mv expand of Y N VALUES I am getting duplicates
CH | DW_tz | DW_e2 | DW_t4 |
CH | DW_tz | DW_v2 | DW_t4 |
CH | DW_tz | DW_zp | DW_t4 |
CH | DW_tz | DW_e2 | DW_t4 |
CH | DW_tz | DW_g1 | DW_t4 |
CH | DW_tz | DW_dx | DW_t4 |
CH | DW_tz | DW_o5 | DW_t4 |
CH | DW_tz | DW_c5 | DW_t4 |
CH | DW_tz | DW_o3 | DW_t4 |
Correct - mvexpand works on one field at a time, all other fields are duplicated for each value in the mv-field
If you use mvexpand on multiple fields you will get a cross-product of the events.
Perhaps it would be clear if you give an example of your events and what you expect your result to be
Hello @ITWhisperer
Thanks for reply.
what i got the results
CH | DW_i6 DW_dx DW_bp DW_o9 DW_sb DW_tz DW_o6 DW_tz | DW_ed DW_h6 DW_zp DW_bl DW_c1 DW_v2 DW_zp DW_o4 DW_o3 DW_o5 DW_ed DW_ed DW_zp DW_w6 DW_d6 DW_ec DW_t6 DW_eb DW_t1 DW_d6 DW_w6 | DW_v2 |
what i except output is
TWIN_ID | Y | VALUE | N |
CH | DW_i6 | DW_zp | 0 |
CH | DW_dx | DW_h6 | DW_2 |
CH | DW_bp | DW_ed | 0 |
cH | DW_o9 | DW_bl | DW_3 |
ch | DW_sb | DW_c1 | 0 |
Xyseries only spreads values around. If you want aggregation use stats.
<...>
| stats count(APPLIC) AS APPLIC by TWIN_ID STATUS
| xyseries TWIN_ID STATUS APPLIC
MYOUTPUT
TWIN_ID | Y | N |
CH | D | DW1 DW2 DWacd |
CH | Dw2 | DW1 DW2 DWacd |
cH | 0 | DWacd |
ch | Dwad | 0 |