First problem:
Fields are extracted in Interesting Fields, and I'm trying to combine data with **Account** and **RequestorCode** must be the field with identical data values. I need help to get *sum of ElapsedTime value* when data are combined.
Below is my query
index=
| eval Service= case(Service = "X", "TEST", Service = "Y", "TEST")
| table _time Service Account ElapsedTime RequestorCode
Below is my sample
----SAMPLE DATA----
Account: 123
Service: X
ElapsedTime: 80.0ms
RequestorCode: XX1
Account : 123
Service: Y
ElapsedTime: 20.0ms
RequestorCode: XX1
---OUTPUT---
Account: 123
Service: Z
ElapsedTime: 100.0ms
RequestorCode: XX1
Second Problem:
Fields are extracted in Interesting Fields, and I need help to show the data with *the highest elapsed time* when **Account** and **RequestorCode** must be the field with identical data values.
Below is my sample
----SAMPLE DATA----
Account: 123
Service: A
ElapsedTime: 70.0ms
RequestorCode: XX1
Account : 123
Service: B
ElapsedTime: 50.0ms
RequestorCode: XX1
---OUTPUT---
Account: 123
Service: A
ElapsedTime: 70.0ms
RequestorCode: XX1
↧