Hey all,Are you familiar with a way to find average event count by time?
I have an events that represents user logins.
I have to find a sequence of a few days in a raw with event count larger than 0 by usernameI tried to do it with timechart command
<my search> | timechart span=1d count by username
and than to do an avg / another stat function like median on the count field, but it didn't lead to any results....My goal is to get list of usernames which tried to access a few days in a rowAny Help?
Since you do not have username fields after timechart command , you cannot get any result. Please try below;
| bin _time span=1d
| stats count by username _time
| timechart avg(count) by username
View solution in original post
Thanks for the fast reply 🙂
It seems to do the work - the bin function has aggregated the events well
After that I could use the stats command successfully