for the 1st query above i removed makeresults and streamstats and re-did the evaluation on temp field of time instead of _time , as below and it gave me the same results.
base search
| eval t=_time
| eval offset=relative_time(now(),"@m")-relative_time(now(),"@h"), t=t-offset
| bin t span=1h
| eval t=t+offset
| stats range(_time) AS Range, latest(_time) AS Latest count BY t, ErrCode
| eval LastEvent=strftime(Latest, "%Y-%m-%d %H:%M:%S"), t=strftime(t, "%Y-%m-%d %H:%M:%S")
is this correct way? as per the results, its the same as using the initial query with makeresults and streamstats
moreover curious on "eval _time=_time-count" to what does it do as per calculations? since _time would be in time format and count would be a number
... View more