I'm trying to make a stacked column chart showing how users are changing some setting ("powerChanged") by build.
Here's my search which is doing the trick to create a chart showing what the users are changing that setting to.
index = "power" name = "powerChanged" isTest = "False" isOnBattery=False buildSku="Enterprise" (build>=2500 AND build<=5900) | eval powerDiff= ABS( oldPower-newPower)
| where powerDiff>5 AND powerDiff<100 |
| chart count(newPower) as "Count" over build by newPower span=10 |
However, some of the builds only have 5-10 users whereas our production builds have thousands of users, making it difficult to look for trends. In the chart, how can I discard builds which have fewer than 1000 results?
Like this:
index = "power" name = "powerChanged" isTest = "False" isOnBattery=False buildSku="Enterprise" (build>=2500 AND build<=5900)
| eval powerDiff= ABS( oldPower-newPower)
| where powerDiff>5 AND powerDiff<100
| stats count by build newPower
| evenstats sum(count) AS newPowerCount BY newPower
| where newPowerCount >=1000
| chart sum(count) as Count over build by newPower span=10
Like this:
index = "power" name = "powerChanged" isTest = "False" isOnBattery=False buildSku="Enterprise" (build>=2500 AND build<=5900)
| eval powerDiff= ABS( oldPower-newPower)
| where powerDiff>5 AND powerDiff<100
| stats count by build newPower
| evenstats sum(count) AS newPowerCount BY newPower
| where newPowerCount >=1000
| chart sum(count) as Count over build by newPower span=10
Give this a try
index = "power" name = "powerChanged" isTest = "False" isOnBattery=False buildSku="Enterprise" (build>=2500 AND build<=5900) | eval powerDiff= ABS( oldPower-newPower)
| where powerDiff>5 AND powerDiff<100
| stats count by build newPower | where count>=1000
| chart sum(count) as Count over build by newPower span=10
Thanks for helping a newbie out 🙂 This is close, but rather than "where count>1000", I want something like "where sum(count)>=1000" to reflect builds with 1000 users across all values of newPower, rather than builds with 1000 users at each newPower value.
Of course, I can't express it this way - I'll spend some more time thinking...
In that case you need the answer provided by @woodcock below, which does exactly the same.