1 Solution
@RobertRi have you experimented with the timewrap command ?
| timechart span=1h count(User) as Users by App
| timewrap 1day
Here is what it can help produce:
| makeresults
| eval _raw = "time, User, App
22-03-2020 01:00:00, user1, appA
22-03-2020 01:00:00, user1, appB
22-03-2020 01:00:00, user2, appA
22-03-2020 02:00:00, user2, appB
22-03-2020 01:00:00, user1, appA
22-03-2020 02:00:00, user1, appA
22-03-2020 02:00:00, user1, appB
22-03-2020 03:00:00, user2, appA
22-03-2020 04:00:00, user2, appB
22-03-2020 01:00:00, user1, appA
24-03-2020 01:00:00, user1, appB
24-03-2020 01:00:00, user2, appA
25-03-2020 02:00:00, user2, appB
25-03-2020 01:00:00, user1, appA
26-03-2020 01:00:00, user1, appB
27-03-2020 01:00:00, user2, appA
28-03-2020 02:00:00, user2, appB"
| multikv forceheader=1
| eval _time = strptime(time, "%d-%m-%Y %H:%M:%S")
| timechart span=1h count(User) as Users by App
| timewrap 1day
@RobertRi have you experimented with the timewrap command ?
| timechart span=1h count(User) as Users by App
| timewrap 1day
Here is what it can help produce:
| makeresults
| eval _raw = "time, User, App
22-03-2020 01:00:00, user1, appA
22-03-2020 01:00:00, user1, appB
22-03-2020 01:00:00, user2, appA
22-03-2020 02:00:00, user2, appB
22-03-2020 01:00:00, user1, appA
22-03-2020 02:00:00, user1, appA
22-03-2020 02:00:00, user1, appB
22-03-2020 03:00:00, user2, appA
22-03-2020 04:00:00, user2, appB
22-03-2020 01:00:00, user1, appA
24-03-2020 01:00:00, user1, appB
24-03-2020 01:00:00, user2, appA
25-03-2020 02:00:00, user2, appB
25-03-2020 01:00:00, user1, appA
26-03-2020 01:00:00, user1, appB
27-03-2020 01:00:00, user2, appA
28-03-2020 02:00:00, user2, appB"
| multikv forceheader=1
| eval _time = strptime(time, "%d-%m-%Y %H:%M:%S")
| timechart span=1h count(User) as Users by App
| timewrap 1day
