I am trying to create a map where I can look at users max duration between logins who register with us between 2 fixed dates i.e. jan17-feb17.
So i have the following which is interesting but doesnt give the max length.
| dedup eventId
| stats count(_time) as appear_count, values(_time) as appear_dates max(_time) as last min(_time) as latest by customerNumber
| eval first_appear=strftime(first,"%d/%m/%Y")
| eval last_appear=strftime(last,"%d/%m/%Y")
| eval appear_dates=strftime(appear_dates,"%d/%m/%Y")
| eval duration=(last-latest)
| eval duration=round((last-first)/86400)
| where first<01/02/2019
For example i have a user that has used the service 400 times with a max break of about a week. So i needed the search to pick up the user where first appear = jan-feb2017 and then i need to know that this user has had at max a weeks break between accessing.
Does this make sense.
Its almost as if i need towrite the search to collect all users where first<28/02/2017.
- and then i need to eval each event in order and subtract the later from the earlier,.. so for someone who accessed the service 5 times it would be
event 1 22/02/2017
event 2 25/02/2017 (diff between event 2-1 = 3days)
event 3 01/03/2017 (diff between event 3-2 = 4days) event 4 09/03/2017 (diff between event 2-1 = 8days)
LAST event 5 10/03/2017 (diff between event 2-1 = 1day)