I have the following code from a web log, which gives me a table of the Time (by minute) the total for that minute, and the prediction and residual values.
I want to separate this by country, not just time.
ie, for each country and their times, what are the count values etc.
How can I update my code, which doesnt split the total and time by country?
index=* sourcetype ="access_combined" clientip=*
| iplocation clientip
| bin _time span=1m
| stats count AS perMin by _time, Country
| timechart span=1m sum(perMin) AS Total
| predict Total as prediction algorithm=LLP future_timespan=5 holdback=0
| where prediction!="" AND Total!=""
| eval residual = prediction - Total
... View more