index=MyApp earliest="@d-1" latest="@d+11h" | stats count
That query provides an event count of all events that occurred between 23:00 yesterday and 11:00 this morning. Is there a way that I can get a similar count of all events for the past 30 days and put that data in a chart? The objective is to produce a chart with the daily number of events for the past 30 days. The event count would have to be associated with the date.
Thanks
Sure. Try this out:
index=MyApp earliest=-30d@d latest=@d | timechart span=1d count
You could even look at the same time window for each 'day':
index=MyApp earliest=-30d@d-1h latest=-1d@d+11h | bucket _time span=24h | stats sum(eval(if((date_hour>=23) OR (date_hour<11),1,0) as TimeWindowCount by _time
You could take a step further if you wanted, and compare the current to that time window and toss it in a graph, which would give you a nice line across showing today's data, giving you a point of comparison against the historical:
index=MyApp earliest=-30d@d-1h latest=-1d@d+11h
| bucket _time span=24h
| stats sum(eval(if((date_hour>=23) OR (date_hour<11),1,0))) as TimeWindowCount by _time
| appendcols
[search index=MyApp earliest="@d-1h" latest="@d+11h"
| stats count as RecentWindow]
| eventstats max(RecentWindow) as RecentWindow
| rename TimeWindowCount as "Historical Count During Window"
| rename RecentWindow as "Most Recent Time Window Count"
Or you could just use the first one, if that's all you're looking for.
Sure. Try this out:
index=MyApp earliest=-30d@d latest=@d | timechart span=1d count
You could even look at the same time window for each 'day':
index=MyApp earliest=-30d@d-1h latest=-1d@d+11h | bucket _time span=24h | stats sum(eval(if((date_hour>=23) OR (date_hour<11),1,0) as TimeWindowCount by _time
You could take a step further if you wanted, and compare the current to that time window and toss it in a graph, which would give you a nice line across showing today's data, giving you a point of comparison against the historical:
index=MyApp earliest=-30d@d-1h latest=-1d@d+11h
| bucket _time span=24h
| stats sum(eval(if((date_hour>=23) OR (date_hour<11),1,0))) as TimeWindowCount by _time
| appendcols
[search index=MyApp earliest="@d-1h" latest="@d+11h"
| stats count as RecentWindow]
| eventstats max(RecentWindow) as RecentWindow
| rename TimeWindowCount as "Historical Count During Window"
| rename RecentWindow as "Most Recent Time Window Count"
Or you could just use the first one, if that's all you're looking for.
David - that is very helpful. Thanks so much!!