How do I get timeColumnName to read as "July"? It needs to be dynamic. Keying off of the eval or something similar.
index="main" |eval timeColumnName=strftime(_time, "%b %d")|stats sparkline AS timeColumnName count by userName
The solution should easily work with
index="main" |eval timeColumnName=strftime(_time, "%b %d")|stats sparkline AS timeColumnName count by userName
Explicitly renaming |rename timeColumnName AS July
is not what I'm looking for. I don't want to update the code in August.
For the first example, output should look like:
userName | July | Count |
userA | prettyGraphic, use your imagination | 54 |
userB | prettyGraphic | 23 |
and example 2 should have the date for an individual day
userName | July 12 | Count |
userA | prettyGraphic, use your imagination | 54 |
userB | prettyGraphic | 23 |
sadly the output currently looks like
userName | timeColumnName | Count |
userA | prettyGraphic, use your imagination | 54 |
userB | prettyGraphic | 23 |
Hello,
You could have a look at the following search (unless you've already solved the problem yourself). It makes use of the field date_month
which is calculated for all events (apart from any windows event logs), along with date_hour
, date_minute
, date_wday
, etc etc.
your_search_here | chart sparkline count AS usage_count over userid by date_month
userid sparkline:september usage_count:september
adam graphics here 43
bill graphics here 92
cecilia graphics here 238
As you will see, it does not edit the actual column header, but rather uses the date_month
as its header, of sorts. However, it will only look as intended if you limit the search so that only events from a single month are returned. The search will work for other time-ranges as well, but the output will not be what you desire.
Hope this helps,
Kristian