Hi,
Please help me sort this out.
I have a single search like index=test sourcetype= test...| stats count
, but the trick here is I have to find the count for -30m@m
, -15m@m
and -5m@m
....and the condition is we shouldn't use append or multisearch..it should run in a single query.
the output would look something like below:
count(last30min) count(last15min) count(last5m)
xxx xxxx xxxxx
NOTE: it should run in a single search, no append or multisearch
Hi,
You can create a field which identifies the time frame bucket. e.g.
..| eval currentTime=now() | eval timeBucket=if(_time > (currentTime-5mins), "5Mins", next conditions for 15 and 30 mins ) | stats count by timeBucket
Note: convert mins in seconds for comparision.
Thanks!!
Hi,
You can create a field which identifies the time frame bucket. e.g.
..| eval currentTime=now() | eval timeBucket=if(_time > (currentTime-5mins), "5Mins", next conditions for 15 and 30 mins ) | stats count by timeBucket
Note: convert mins in seconds for comparision.
Thanks!!
Can you explain why you have the condition banning append
(and presumably appendcols
) and subsearches?
The condition was the env we are using can run only 10 concurrent searches and i have already 9 searches in place so thats why we ignored append