Over the last 3 days I was trying to create dashboard with single value + trends.
The query was something like this:
The goal was to get total number of src based on dashboard time range (before talking about the trends).
right now, by mistake (must be honest), I changed the query so I replaced the word by with as and it seems to work but not perfectly - when I change the time range to all time i expect to see all events but I get only one of them (although there are 5 events in results):
Can someone please tell me why I got confused and to translate my goal above into query correctly for next time?
so what you are doing with your first search will split the timechart count by your Source IP.
So you basically count e.g. every hour how many Source IPs have been seen and split this value by each unique Source IP.
as instead of
by you are renaming the count field as "src"
You are now creating a count of all the Source IPs that where seen in e.g. an hour over time.
| timechart count as src is the right code (count of "src" events renamed in "src").
If you use "count by src" and you have deduplicated "by src" in the previous action, you can have always 1 as result (1 event per "src").