I have two queries that returns an total accumulated of transactions.
host="konecta-marketing" "request.input.text"="*" | stats count
host="konecta-marketing"| stats count by request.context.conversation_id | search count>1 | stats count
I´ve tried make an time chart with this but unsucessfully:
host="konecta-marketing" | timechart count(request.context.conversation_id) as Conversaciones count(request.input.text) as Peticiones | search Conversaciones > 1
When i use this query the result in the graph is not the same that when i use the first query (host="konecta-marketing"| stats count by request.context.conversation_id | search count>1 | stats count)
Any idea ?
Only i need compare into graph two accumulers of previous queries.
are you trying to get a distinct count of how many
request.context.conversation_id there are (when there are more than one of each)? in your second query, you're doing a
stats count by request.context.conversation_id and then counting those results, which is only counting the number of results - basically counting how many request.context.conversation_ids you have. i just want to make sure that's what you're trying to do, and not wanting to sum up the values of
in your query that doesn't quite work, you're basically counting every single instance of request.context.conversation_id, which is similar to if you were to sum it at the end in the original syntax (without the filter of count>1), but since you aren't counting by that field, when you are searching Conversaciones>1, you are basically eliminating any timespan (which is automatically set depending on your time range since you don't have it specified in timechart) that doesn't have a count>1. So the queries themselves are not the same at all.
What you might want to do is do an
|evenstats count as Conversaciones by request.context.conversation_id|search Conversaciones>1 OR request.input.text=*|timechart sum(Conversaciones) as Conversaciones count(request.input.text) as Peticiones or something similar.
Thanks for reply
Yes i wan to do it so .....but in this case is strange because my query (host="konecta-marketing"| stats count by request.context.conversation_id | search count>1 | stats count) returns 5500 events and the new query like you said returns 9000 events ..both must be same.
In this query i count all events and then count if are 2 or more times for me is an conversation and works in a graph of type counter but i need to compare it vs request (host="konecta-marketing" "request.input.text"="*" | stats count) in a timechart graph or similar