Solved: Re: timechart of a sliding window count

pr0n · ‎07-10-2019

I need a timechart that counts the number of distinct fieldx where that fieldx has more than x events in that span/bin.

I hope that makes sense, so sudocode would be something like

index=blah | stats count by fieldx as blah | where blah>5 |timechart span=1hr count distinct by fieldx

That search obviously doesn't work, I'm not sure how to structure it to get what I want.

richgalloway · ‎07-10-2019

The pseudo-code fails because the stats command eliminated the _time field needed by timechart. Try this alternative:

index = blah | bin span=1h _time | stats count by _time fieldx | where count > 5 | timechart span=1h max(count) by fieldx

---
If this reply helps you, Karma would be appreciated.

pr0n · ‎07-10-2019

I was able to do this at seems to work correctly

index=asdf fieldx=* | bucket _time span=day  | stats  count by fieldx _time  | where count>2  | timechart distinct_count(fieldx)

richgalloway · ‎07-10-2019

The pseudo-code fails because the stats command eliminated the _time field needed by timechart. Try this alternative:

index = blah | bin span=1h _time | stats count by _time fieldx | where count > 5 | timechart span=1h max(count) by fieldx

---
If this reply helps you, Karma would be appreciated.

timechart of a sliding window count