Hey, I'm looking for a little advice.
I'm trying to produce a report showing how many events of a particular type (where the type is defined by a field) have happened grouped by a given time span... say 10 minutes.
So ideally it would look something like this
Time | HHProjection | Importer |
------------------------------------------------
2014-07-30T14:04:00 | 200 | 230 |
The closest I've got is something along these lines
* | where Stage = "HHProjection" or Stage="Importer" | eval formattedTime = strftime(_time, "%FT%H:%M:00") | stats count by Stage, formattedTime
But as you can tell this produces a line per Stage
rather than a column per Stage
.
As a complete beginner how would I go about writing this query?
Thanks in advance
Try this
Stage="HHProjection" or Stage="Importer" | timechart span=10m count by Stage
Try this
Stage="HHProjection" or Stage="Importer" | timechart span=10m count by Stage
perfect, thanks!