Hi all, I've just learned how to use the commands below but not sure how to apply it to a bar chart:
| where test >= relative_time(now(), "-14d") AND test < relative_time(now(), "-7d")
Very simple data:
Date Sold
2016-11-12 9
2016-11-13 8
2016-12-14 2
2016-12-12 1
2016-12-12 0
...
So basically I need to sum up all SOLD TICKETS per Current week, prior week and third week.
How do I do that with stats or some other commands? This is as far as I got:
| timechart span=24h count("100_ of Ads Viewed") AS Total
That shows me the count for every month but I only need to count Current week, prior week and third week.
I need to mimic the graphic below:
Thank you
How about you use the relative_time
to calculate when it happened and then chart using it. Let's say that the dates above are coming in a field called test
in epoch time then try something like:
your query to return events earliest="-21d"
| eval myTime=case(test >= relative_time(now(), "-7d"), "CurrentWeek", test >= relative_time(now(), "-14d") AND test < relative_time(now(), "-7d", "PriorWeek", test >= relative_time(now(), "-21d") AND test < relative_time(now(), "-14d", "ThirdWeek", 1=1, "Other")
| stats count("100_ of Ads Viewed") AS Total by myTime
Assumption above is "-7d" means "seven days prior to now" and not exactly "Current Week starting from Monday"
If test
field has date as a string then take out the epoch time from it first, using strptime
, before the case statement in above search as follows:
...| eval epochTest=strptime(test, "%Y-%m-%d")
| eval myTime=case(epochTest >= relative_time(now(), "-7d"), "CurrentWeek",... and so on
Try like this
your base search earliest=-2w@w latest=now | timechart span=1w count("100_ of Ads Viewed") AS Total
| eval period=case(_time>=relative_time(now(),"@w"),"This Week", _time>=relative_time(now(),"-1w@w"),"Prior Week",1=1,"Third Week") | table period Total