Time MSG PayID PayResult
March 28th 2018, 23:35:47.295 PayResult 24C49884-6DF5-4216-90DD-FD3E7D594C94 Leave
March 28th 2018, 23:35:21.901 PayResult 09895841-AADC-4F2C-88A2-6624070802A9 Leave
March 28th 2018, 23:32:33.014 PayResult B0D4B5FF-3936-40FB-B041-8341DF38631E Success
March 28th 2018, 23:32:24.384 PayResult B0D4B5FF-3936-40FB-B041-8341DF38631E Cancel
March 28th 2018, 23:32:02.522 PayResult A7D6DEB1-5030-4CB0-A357-F14D15E0CBAC Leave
March 28th 2018, 23:31:59.354 PayResult A7D6DEB1-5030-4CB0-A357-F14D15E0CBAC Cancel
March 28th 2018, 23:29:53.692 PayResult FF2BC98D-DB44-4232-8D4F-46EB9A4EAEE8 Leave
March 28th 2018, 23:29:22.945 PayResult DAFF8C9A-A16E-413E-A261-CF5FF9048465 Leave
March 28th 2018, 23:29:07.025 PayResult 092BB593-6A70-4DDC-9493-97F9FCF2B4A0 Leave
if the PayResult is Success i needn't cancel and leave i hope when i statistics or Aggregations use the lastest PayResult
I'm not sure I understand what you want to do.
You can aggregate strings only in keyword format. If you didn't map PayResult as keyword, then use PayResult.keyword in your visualization.
If you mapped it as keyword (which you should in my opinion, because the field seems to have a discrete number of single string values), then just use PayResult.
Then in your search you can use PayResult:"Success" (or PayResult.keyword:"Success"), if you want to see only Success events.
Or negate it if you want to see every event but those: -PayResult:"Success" (-PayResult.keyword:"Success").
thank you
but i mean when two events have the same ID ,if PayResult is Success and cancel ,so when i statistics how many success and how many cancel, they will all be counted,so i need A ID has only one final result ,The success is higher than the cancellation weight, and the cancellation is higher than the leave weight.
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.