This is sort of what I'm looking for.
Is there a way to format the query so that it counts by audittype and displays the average next to it like you did for your index?
Like if I did
index="myindex" mcType=auditLog auditType="*" |stats count by auditType
It currently shows as
auditType , count
but I'd love to see
auditType , avg, count
With your query index="myindex" mcType=auditLog auditType=* | timechart span=1d count| eventstats avg(count) as avg | where count >=0.1*avg
I'm getting time, count , average
... View more