Hi,
I have given a query to return me a list of details as below , however the results for all of 30 days are not populating . Instead its giving only the results for last 3 days..
"http://pinky/createcustomer" NOT "http:/pinky/confirmcustomer" | join type=left vsid [ search "http:/pinky/searchcustomer" ] | eval time=strftime(_time,"%a %B %d %Y %H:%M:%S.%N")| stats count(vsid) as TempcustomerCount list(email) as Email list(firstname) as FirstName list(lastname) as LastName list(JSESSIONID) as JSessionID list(time) as Time by customerCode,previewCode,vsid | where TempcustomerCount>=5
Also, what does this get you?
("http://pinky/createcustomer" NOT "http:/pinky/confirmcustomer") "http:/pinky/searchcustomer"
| eval time=strftime(_time,"%a %B %d %Y %H:%M:%S.%N")
| stats count(vsid) as TempcustomerCount list(email) as Email list(firstname) as FirstName list(lastname) as LastName list(JSESSIONID) as JSessionID list(time) as Time by customerCode,previewCode,vsid
| where TempcustomerCount>=5
I mean, you already group on vsid in the stats, so ... the join seems superfluous.
Also, why have the NOT "http:/pinky/confirmcustomer" the search string already specifies what to include, it will exclude the confirmcustomer url unless your _raw consists of both urls in the same event
I edited this to use 'code' tags so the editor doesn't eat weird characters. But I can't confirm there aren't missing characters - can you edit and repaste that code please?
"http://pinky/createcustomer" NOT "http:/pinky/confirmcustomer" | join type=left vsid [ search "http:/pinky/searchcustomer" ] | eval time=strftime(_time,"%a %B %d %Y %H:%M:%S.%N")| stats count(vsid) as TempcustomerCount list(email) as Email list(firstname) as FirstName list(lastname) as LastName list(JSESSIONID) as JSessionID list(time) as Time by customerCode,previewCode,vsid | where TempcustomerCount>=5