So, I have a search with a regex that has pulled 2 different fields- lets say user and client.
the url is something like,
{base_url}/user/{user_1}/hello.
This user field can hold 100's of values - user_1, user_2, user_3...........
I want to know how many times each "user" is hit on a daily basis for different clients(there are 4 clients). And I only want the users that have max hits everyday (top 5 ).
So, for everyday, for every client, top 5 users with the count ofcourse.
how do I do that.?
I tried this,
My_search|bucket span=1d _time | stats count by _time client user | head 5
This gives me a messed up output. Any ideas??
... View more