If statements and extracting values

Question

I have a result set that looks like

{add=[44961373 (1645499799657512961), 44961374 (1645499799658561538), 44962094 (1645499799659610114), 44962095 (1645499799659610117), 44962096 (1645499799660658689), 44962097 (1645499799660658691), 44962098 (1645499799661707264), 44962099 (1645499799661707267), 44962100 (1645499799662755840), 44962101 (1645499799662755843), ... (592 adds)]}

If the add=[ array has more than 10 elements in it. Then it will put (x adds) at the end of the statement to show how many actual adds there were. IF it has less than 10, then it wont put the (x adds) statement. I am wanting timechart and also single value these outputs to a dashboard(separate modules).

I can get one or the other but I would like to use from logic to figure out which one to report.

index="index" host="host*" path=/update | eval count=mvcount(add) | stats count

will get the count of the array

index="index" host="host*"  path=/update | stats sum(Adds)

will get the value of the (x adds). Adds is a 'extracted field'.

How do I get either or? If add array >10, use sum(Adds), in the same breath.

Answer 1

index="index" host="host*" path=/update | eval count=mvcount(add)
| eval first_ten="{add=[".mvjoin(mvindex(add,0,9), ",")." (" (count-10)." adds)}"
| eval msg=if(count<10,_raw,first_ten)

You can do something like this. Get the count of adds, create a new string with the first 10 elements only, with the count-10 adds message at the end. Then, depending on the actual count, either use the original (_raw), or the new message.