I have a log for a documents database. It gives me a daily report of total documents in each collection (each collection and total is one event in the log).
The powers have asked that I show how many documents were added each day for yesterday's and today's totals. So basically, I need to gather and compute the following:
-2d@d -> collection=master doccount=1000
-1d@d -> collection=master doccount=1200 delta=200
@d -> -> collection=master doccount=1500 delta=300
and I need to do this per collection for about 50 collections.
I'm playing with some pretty complex evals, but I hope there is a simpler way
Check out streamstats, which does allow a BY clause (to satisfy your per collection requirement).
And a (potentially correct/working) run-anywhere example:
index=_internal idx=* b=*
| bin span=1d _time
| stats sum(b) AS bytes BY _time idx
| streamstats current=f last(bytes) AS last_bytes BY idx
| eval delta=if(isnotnull(last_bytes), bytes-last_bytes, "N/A")
Check out streamstats, which does allow a BY clause (to satisfy your per collection requirement).
And a (potentially correct/working) run-anywhere example:
index=_internal idx=* b=*
| bin span=1d _time
| stats sum(b) AS bytes BY _time idx
| streamstats current=f last(bytes) AS last_bytes BY idx
| eval delta=if(isnotnull(last_bytes), bytes-last_bytes, "N/A")
I hereby announce my undying love for you and your queries!
Thanks a bunch.