I am looking for a search to get a count of each application per day. Below is the search I have now, which gives count for everything for that day. I need count per application per day.
index=index1 ...| bin span=1d _time | stats values(app) count(app) by _time
The result I get is below:
08/10/17 app1, app2, app3 total count of all 3 apps.
But what I want is this:
08/10/17 app1 count of app1
app2 count of app2
Try this ...
index=index1 ...| bin span=1d _time | stats count as appcount by _time app.
It is the count(app)
thing that gets everybody. What we all should understand (and what is not taught anywhere) is that count(app)
is actually count(eval(isnotnull(app)))
which in the vast majority if cases simplifies down to being just count
.
Yeah, I avoid ()
with count
whenever I can, especially when typing aircode. Figuring out what quotes are needed for evals in there is nontrivial at the moment. Write many, test many, post... well, usually twice...