I'm seeing a weird problem that I've been banging my head on today. I have the following search:
index="tap" eventType="messagesDelivered" OR eventType="messagesBlocked" | stats count(eval(eventType=="messagesBlocked")) AS Blocked, count(eval(eventType=="messagesDelivered")) AS Delivered | eval Total=(Blocked+Delivered) | eval divided = Blocked/Total | eval Percent_Blocked=round((divided*100),0)."%" | fields Blocked,Delivered,Total,Percent_Blocked
The search works fine, but it charts only the Blocked field and nothing else, so my pie chart is 100% Blocked and a single color. I'm wanting to chart the blocked and delivered as separate slices. I think it has something to do with my stats and eval command renaming.
The original data are from the field eventType. If I don't eval them to different fields, they show up as individual rows instead of columns - but this works:
![alt text][1]
If I do the original search with stats and eval, I get this:
![alt text][2]
[1]: /storage/temp/218585-eventtype.png
[2]: /storage/temp/218586-eval.png
Any ideas on how I can chart this based off of the Blocked and Delivered columns?
Thanks!
↧