我有以下splunk字段
Date,Group,State
状态可以具有以下值InProgress | Declined | Submitted
我想得到以下结果
Date. Group. TotalInProgress. TotalDeclined TotalSubmitted. Total
-----------------------------------------------------------------------------
12-12-2021 A. 13. 10 15 38
我想不通。如有任何帮助,将不胜感激
也许这个示例查询会有所帮助。
| makeresults | eval _raw="Date,Group,State
12-12-2021,A,InProgress
12-12-2021,B,InProgress
12-12-2021,A,Declined
12-12-2021,A,InProgress
12-12-2021,A,Submitted
12-12-2021,B,Submitted
12-12-2021,A,InProgress
12-12-2021,A,InProgress
12-12-2021,B,Declined
12-12-2021,A,InProgress
12-12-2021,A,Submitted
12-12-2021,A,Submitted"
| multikv forceheader=1
```Above lines just set up test data```
```Set variables based on the State field```
| eval InProgress=if(State="InProgress", 1, 0), Declined=if(State="Declined", 1, 0), Submitted=if(State="Submitted", 1, 0)
```Count events```
| stats count as Total, sum(InProgress) as TotalInProgress, sum(Declined) as TotalDeclined, sum(Submitted) as TotalSubmitted by Date,Group
| table Date Group TotalInProgress TotalDeclined TotalSubmitted Total