Using stats with a by on 2 fields works, but how c...

HattrickNZ · ‎12-06-2015

Using stats with a by on 2 fields works:

...| stats max(kpi1) as "kpi1" max(kpi2) as "kpi2" by field1 field2

but can I do the same using timechart? (so far I don't think I can)

...| timechart max(kpi1) as "kpi1" max(kpi2) as "kpi2" by field1 field2

A work around I have is to use strcat which would be something like:

...| strcat field1 "-" field2  field1_2 | timechart max(kpi1) as "kpi1" max(kpi2) as "kpi2" by field1_2

Just wondering what other people do?

emiller42 · ‎12-06-2015

You can't visualize this directly, but I use the following when I want time series data on multiple dimensions:

...| bucket _time | stats count by _time field_1 field_2

HattrickNZ · ‎12-06-2015

tks, as you say not great for visualisation but looks good it the stats tab.
How do I control the _time granularity using this way?

emiller42 · ‎12-06-2015

You can optionally add a span= to bucket just like timechart.

... | bucket _time span=1d | ...

Using stats with a by on 2 fields works, but how can I do this with timechart?