Hi All,
Below is my requirement:
I had single value attributes in my dashboards like
Total Approved Pending Cancelled
100 25 50 25
Searches:
I kept drilldown. If I click on "50", I should see 50 events in the separate table OR if I click on "25", then I should see 25 events in the table format...etc.
index=USA sourcetype=abc MESSAGE="Test" |transaction ID|stats first(STATUS) as APP_STATUS by ID|fields - ID|search APP_STATUS="Cancelled"|stats count
index=USA sourcetype=abc MESSAGE="Test" |transaction ID|stats first(STATUS) as APP_STATUS by ID|fields - ID|search APP_STATUS="Approved"|stats count
index=USA sourcetype=abc MESSAGE="Test" |transaction ID|stats first(STATUS) as APP_STATUS by ID|fields - ID|search APP_STATUS="Pending"|stats count
..etc for all single value visualization.
The purpose I used `|stats first(STATUS)` in the search is the application status may change from pending to approved OR From cancelled to Approved...etc but the ID remains same if the status changes also.
Example: If Pending has 3 applications and if one of the application status is changed to Approved then the pending count should decrease -1 i.e.,2 and approved count should increase by +1.
And the search for table drilldown:
index=USA sourcetype=abc APP_STATUS=$app1_stat$ MESSAGE="Test"|table ID,COUNTRY,TYPE
The issue is If I clicked on any of the single values (25, 50, 25), then I am seeing more count in table. According to the requirement, I should see same number of events in the table.
Thanks in advance.
↧