Hey all,
Are you familiar with a way to find average event count by time?
I have an events that represents user logins.
I have to find a sequence of a few days in a raw with event count larger than 0 by username
I tried to do it with timechart command
<my search> | timechart span=1d count by username
and than to do an avg / another stat function like median on the count field, but it didn't lead to any results....
My goal is to get list of usernames which tried to access a few days in a row
Any Help?
Hi @Tankwell,
Since you do not have username fields after timechart command , you cannot get any result. Please try below;
| bin _time span=1d
| stats count by username _time
| timechart avg(count) by username
Hi @Tankwell,
Since you do not have username fields after timechart command , you cannot get any result. Please try below;
| bin _time span=1d
| stats count by username _time
| timechart avg(count) by username
Hey,
Thanks for the fast reply 🙂
It seems to do the work - the bin function has aggregated the events well
After that I could use the stats command successfully
Thanks 😀
Tankwell