I would like to construct a bar graph comparing login events between two applications however I'm having trouble joining my two search queries. They both rely on count as I simply need to count the number of login events per application.
I believe the associated table would need to be output like so:
Application name | Login count
APP1 | 10
APP2 | 22
index=tracking_all topic="DATA.TRACKING.DEBATCHED.APP1" payload.props.schema="*login*"
| stats count as APP1
| join count [search index=tracking_all topic="DATA.TRACKING.DEBATCHED.APP2" payload.props.schema="*login*" | stats count as APP2]
Joining by count doesn't make sense to me. Try this, which should perform better without the join.
index=tracking_all payload.props.schema="*login*" | rex field=topic "\.(?P<app>\w+)$" | stats count by app | rename app as "Application name", count as "Login count" | table "Application name" "Login count"
I should probably mention that my apps aren't actually called app1 and app2, if they were I'd think that would be poor naming on my behalf. Is there a way to do this based on two app names that don't follow a pattern?
My answer presumes the app name can be extracted from the topic field, but the names themselves don't matter. Feel free to change the rex command to fit the real world.