I’m trying to get a count for activity on around 10 different APIs.
The search is:
index=api_logs | bin span=5min _time | stats count by _time, APIName
Is it possible to use stats count so the output includes an entry for each API in each 10 minute period and report a ‘0’ if there hasn’t been a call. I know you could chart it but I’d like the data in this particular format.
Try this
| timechart span=5m count by APIName
| untable _time APIName count
Thanks - I know it could be charted like that but that changes the structure of the data. I’d like to output the results in the three columns that stats count produces, so _time, APIname & count.
Try this
| timechart span=5m count by APIName
| untable _time APIName count
The timechart command will fill in the missing time periods.
| timechart span=5m count by APIName