Hi There,
I have a field that identifies users, e.g. userID. I also have a field that is common in every log, e.g. command.
How can I create a timechart that doesn't return all users, rather, just users who have appeared a minimum of five times?
I tried the following search, but it didn't return any results:
stats count(command) as Uses by userID | Where Uses>5 | timechart span=1d dc(userID)
Thanks!
Time chart needs a time field in order to work.
Try the following instead:
| yoursearch
| bucket span=1d _time
| stats count(command) as Uses by userID, _time
| Where Uses>5
| timechart span=1d dc(userID)
Or this:
| yoursearch
| timechart span=1d count by userID
| Where count > 5
Time chart needs a time field in order to work.
Try the following instead:
| yoursearch
| bucket span=1d _time
| stats count(command) as Uses by userID, _time
| Where Uses>5
| timechart span=1d dc(userID)
Or this:
| yoursearch
| timechart span=1d count by userID
| Where count > 5
I couldn't get either query to work.
I think the Where clause is the problem in both queries. I notice that 'where' is supposed to only be used when relating two fields. Maybe that's a problem with using where?
You can use both "search count > 5" or "where count > 5"
Try search instead but both should work just fine.
I was able to get the first query to work if I replaced 'search' instead of 'where'. I think using 'where' was really my problem, and now it works much better with 'search'. Thanks so much for the tip, I'm hanging onto your first query above.
Hi @bspier1
I'm glad you were able to find a solution through @javiergn 🙂 Please don't forget to resolve your questions by clicking "Accept" directly below the answer. This will help make it easier for other users finding an answer to the same/similar question. Thanks!
Patrick
If none work, can you paste your whole query here?