Hello
I have a search that joins together data, the search works great but the results that Im trying to get are proving a bit tricky.
index=tsv
|rename BOID AS id
|dedup SurveyInstanceID QuestionID QuestionText QuestionAnswer QuestionAnswerWeight
|join id [`init(assessments)`
|rename info_name as assessmentName
|dedup assessmentName
|`fp_mvexpand(related_vendors)`
|eval RV = mvindex(related_vendors,0) ]
|join RV [ `init(vendors)`
|rename id as RV info_name as Vendor
|dedup Vendor]
| search Vendor=$vendor$
|streamstats count(QuestionID) by SectionTitle
|rename count(QuestionID) as total
| eval "Section Status"=case(SectionTitle == "1.1" AND total == "3", "Completed",
SectionTitle == "1.2 " AND total == "4", "Completed",
SectionTitle == "1.3" AND total == "3", "Completed",
true(), "Incomplete")
|rename total as "Questions Answered" SectionTitle as "Section Title"
the goal is that if "Section Status" == "Incomplete" AT ALL, return "Incomplete" otherwise its "Complete".
This causes every record to be evaluated which is not what Im trying to get I only need it to return a single result.
So if
So lets say
SectionTitle == "1.1" AND total == "3"
SectionTitle == "1.2 " AND total == "2"
SectionTitle == "1.3" AND total == "3"
the result would be "Incomplete"
I plan on making this a single value panel on a dashboard
Thanks for the assistance
↧