I am trying to do the following search:
Log file looks like
2012-12-01 11:00:00 id=B starttime=2012-12-02T08:00:00 length=100 2012-12-01 11:00:00 id=C starttime=2012-12-02T08:00:00 length=150 2012-12-01 11:00:00 id=A starttime=2012-12-02T08:00:01 length=100 2012-12-01 11:00:00 id=D starttime=2012-12-02T08:00:00 length=110 2012-12-01 11:00:00 id=C starttime=2012-12-02T08:00:20 length=100 2012-12-01 11:00:00 id=A starttime=2012-12-02T08:00:00 length=200 ....
First, I need to find out how many unique values of "id + starttime + length"
mysearch| eval output = (id + ";" + starttime + ";" + length) | stats count AS key by output
Then I would like to find out on an hourly basis, the distribution of the key, e.g. how many keys occurred once, twice, 10, 20, etc.. hourly?
I have been struggling with it. Any suggestions?
Use this -
mysearch | bucket _time span=1h | eval output = (id + ";" + starttime + ";" + length) |stats count by _time,output.
Try something like this
Yoursearch | bucket _time span=1h | eval output= (id + ";" + starttime + ";" + length) | stats count as KeyCount by _time output | eventstats dc(output) as UniqueKeys