Hello, Im trying to accumulate and analyze a persons risk score every day, once per day, and only fire when the total score for a given user esceeds a pre-determined threshold for that amount of t...
See more...
Hello, Im trying to accumulate and analyze a persons risk score every day, once per day, and only fire when the total score for a given user esceeds a pre-determined threshold for that amount of time has been exceeded. for example, if I have a threshold chart for: 1 day 1 week 2 weeks 3 weeks 1 month 2 months 3 months etc I want a running total of the all the persons generated risk, but I only want to review it when the accumulated total exceeds the threshold for the given period of time index=summary_events |bin _time span=1d |table _time,user,base_score
| timechart useother=f span=1d sum(base_score) as total_score by user didnt produce the results I was expecting because it was only giving me the totals for that day, but not the accumulated total. the accum command doesn't seem to take a by clause. kind of striking out on how to properly approach this. would love some suggestions?