Hi,
I have 2 separate indices across which I want to correlate few fields.
I have created a data table visualization, added the required aggregated metrics and everything is working as expected.
Now in this case, I added integer fields so that I can use the Sum aggregation and count the number of times these have occurred.
I also have a string field for the same purpose.
Logstash code matching the event:
add_field => { "l3_debug" => "RRC_CONNECTION_REQUEST"} add_field => { "n_rrc_conn_req" => "1"}
These 2 fields are redundant. What I want to know is, in the above table, instead of using sum of 'n_rrc_conn_req', can I use count of l3_debug: RRC_CONNECTION_REQUEST and eliminate the integer field?
If you select Count, then there is no option to apply any filter.
Can the Advanced->JSON input section be used for this?
Thanks
Nikhil