Hello!
This question is probably trivial (I'm a newbie) but I just don't seem to be able to adjust my head to think how this is done. I am trying to count occurrences of each event type per month, having this kind of output:
month field1 count
01 x 20
01 y 10
01 z 15
02 x 10
02 y 5
02 z 6
There are only about ten different values for field1, but they may change every month, so the values should come from the index.
So far I only have got to this:
source=mysource earliest=-10mon@mon | convert timeformat="%m" ctime(_time) AS month | cluster field="field1" countfield=count |table month, field1, count
Obviously this doesnt' work, as it clusters & counts over all time, not per month.
I have been thinking of using a subsearch like
source="mysource" earliest=-10mon@mon | stats values(field1)
which lists the distinct values, but how can I use this result?
... View more