I am looking for a search to get a count of each application per day. Below is the search I have now, which gives count for everything for that day. I need count per application per day.
index=index1 ...| bin span=1d _time | stats values(app) count(app) by _time
The result I get is below:
08/10/17 app1, app2, app3 total count of all 3 apps.
But what I want is this:
08/10/17 app1 count of app1 app2 count of app2
It is the
count(app) thing that gets everybody. What we all should understand (and what is not taught anywhere) is that
count(app) is actually
count(eval(isnotnull(app))) which in the vast majority if cases simplifies down to being just
Yeah, I avoid
count whenever I can, especially when typing aircode. Figuring out what quotes are needed for evals in there is nontrivial at the moment. Write many, test many, post... well, usually twice...