I'm trying hard to achive the following,
assume i have this data:
DATE=2020-01-01 ITEM1=1 ITEM2=10
DATE=2020-01-02 ITEM1=2 ITEM2=20
DATE=2020-01-03 ITEM1=3 ITEM2=30
....
DATE=2020-01-31 ITEM1=5 ITEM2=40
DATE=2020-02-01 ITEM1=1 ITEM2=10
DATE=2020-02-02 ITEM1=2 ITEM2=20
DATE=2020-02-03 ITEM1=3 ITEM2=20
...
DATE=2020-02-28 ITEM1=4 ITEM2=20
I'd like to multiply ITEM1 with ITEM2 and show it in the field dailytot,
the table query looks then:
DATE=*
| rex field=_raw "DATE=\d+-(?(.*))-\d+ "
| rex field=_raw "DATE=(?(.*))-\d+-\d+ "
| rex field=_raw "DATE=\d+-\d+-(?(.*)\s{1})ITEM1"
| stats sum(ITEM1) as ITEM1 sum(ITEM2) as ITEM2 by Month, Year, Day
| eval Daytot = ( ITEM1 * ITEM2)
| addcoltotals ITEM1, ITEM2, Daytot labelfield=Month label=Total
The output looks like:
Month Year Day ITEM1 ITEM2 Daytot
01 2020 01 1 10 10
01 2020 02 2 20 40
01 2020 03 3 30 90
01 2020 31 5 40 200
02 2020 01 1 10 10
02 2020 02 2 20 40
02 2020 03 3 20 60
02 2020 28 4 20 80
Total 21 170 530
All good so fare but i would like to get monthly totals like this:
Month Year ITEM1 ITEM2 Daytot
01 2020 11 100 340
02 2020 10 70 190
Total 2020 21 170 530
I was thinking about to append one more search and do one more calculate:
DATE=*
| rex field=_raw "DATE=\d+-(?(.*))-\d+ "
| rex field=_raw "DATE=(?(.*))-\d+-\d+ "
| rex field=_raw "DATE=\d+-\d+-(?(.*)\s{1})ITEM1"
| stats sum(ITEM1) as ITEM1 sum(ITEM2) as ITEM2 by Month, Year
|
append [
| stats sum(ITEM1) as ITEM1 sum(ITEM2) as ITEM2 by Month, Year, Day
| eval Daytot = ( ITEM1 * ITEM2) ]
| addcoltotals ITEM1, ITEM2, Daytot labelfield=Month label=Total
But the above try doesn't take me anywhere.
Any idea how to solve this?
↧