Hi all,
Can someone help me on this problem?
I'm working on a dashboard that I need to show how many users logged into the system and I need to have 2 views for each 30 minutes: 1. Today 2. Over time
(just to have the view if today we are getting more users logged on in history) I can search it using earliest and latest function for each one, but I dont know how to join them for the same time.
Here is an example:
my-search logon-action earliest=1 latest=now()
| fields _time
| bucket span=30min _time
| eval hour=strftime(_time, "%H:%M")
| chart count as "Over-time" over hour
Statistics came like this:
Hour
Count
01:00
4
01:30
10
02:00
5
03:00
8
05:00
1
my-search logon-action earliest=-1@d latest=now()
| fields _time
| bucket span=30min _time
| eval hour=strftime(_time, "%H:%M")
| chart count as "today" over hour
Statistics came like this:
hour
count
01:30
1
03:00
8
I'm using the "append" command to have 1 result of the count per 30 min to chart it:
search logon-action earliest=1 latest=now()
| fields _time
| bucket span=30min _time
| eval hour=strftime(_time, "%H:%M")
| chart count as "Over-time" over hour
| appendcols [
| my-serach search logon-action earliest=-1@d latest=now()
| fields _time
| bucket span=30min _time
| eval hour=strftime(_time, "%H:%M")
| chart count as "today" over hour
and I'm having this:
hour
over time
today
01:00
4
1
01:30
10
8
02:00
5
03:00
8
05:00
1
So, the number 1 and 8 of "Today" is in the line of 01:00h and 01:30, but they actualy belongs to 01:30 and 03:00h
How can I fix it? I dont know how to do it and I appreciate if you guys can help me to have something like this:
hour
over time
today
01:00
4
0
01:30
10
1
02:00
5
0
03:00
8
8
05:00
1
0
any other idea is welcome to fix it
Thank you!
... View more
