I am trying:
name=foo minutesago=1 | head 1000 | dedup host | stats list(host) as list | map search="search host=$list$ | head 1"
the "name=foo minutesago=1" search will return a bunch of e...
...escriptions and examples, see "Functions for stats, chart,
and timechart".
but when i run per_minute(), per_second() Functions with Stats and streamstats commands.
it isn't work why ?
any i...
...val NUUMA=tostring(upper(USERNAME)) | fillnull value=NULL UserAcControl]
| stats values(UserAcControl) count by NUUMA
I am getting the results that I need, but after the STATScommand, I need t...
...6 11:00 - 0.590000
...
...
Unfortunately I cannot use a "span" argument to the statscommand like with a timechart. I've tried using bins/buckets but I can't find many good examples of this....
...o this timestamp
... | eval mostrecent = stats first(OStime) | search OStime=mostrecent
This fails with a "Error in 'eval' command: The operator at 'first(OStime)' is invalid."
Thans in d...
Hi , I am facing difference in count between stats and timechart for same search and same filters Stats cmd : Last 24 hours search|bin span=1d _time |stats count by Status|eventstats sum(*) as s...
...plunk UI
index="ex_firewall" accept or allowed
| stats count by dst_ip
| lookup test_output.py dst_ip as field1
Throwing error
Error in 'lookup' command: Could not construct lookup 't...
...ecoded field which gives a "p" thing as a result. Examples of | Search NOT: Example of Stats resulted "p": | rex field="process" ".*-(e|E)(n|N)[codemanCODEMAN]{0,12}\ (?<p...
...o this:
earliest=5/12/2014:00:00:00 latest=5/13/2014:00:00:00 index=test1 | stats sum(duration) AS duration by type city | eventstats sum(duration) AS city_duration by city | appendpipe [ stats s...