I am attempting to write a search which uses eval show the difference between two assignment groups. A number of assignment groups which all begin with ABC. I want to group all of these as 'IDS'.I then want to show the allocated tickets to IDS and stack against the OTHER assignment group (which does not start with ABC). I then want this to show as a timechart stacked week by week.
This is what I have:
index="myindex" sourcetype="csv" "Assignment group"="wildcard*" | eval IDS=if(like("Assignment group","ABC*"),"IDS","OTHER") |timechart span=1w count by "Assignment group".
Can anyone advise what I am doing wrong here? The timechart shows individual ABC-**** groups in the chart rather than grouped IDS results against OTHER.
Thanks in advance for any help.
Rob.
↧