Hi there,
I have events which indicate opening and closing of an event. I want to see the amount of open events (that did not get a closing event by that time) at a given time.
Snipped from my search so far:
... | stats earliest(_time) as _time by processid, service, location | eval combkey = service." - ".processid | eval openclosed = if(location="o","close","open") | timechart...
I just have no idea how to achieve this.
Any idea is welcome 🙂
thanks
lordadmiral
Try like this
.. | stats earliest(_time) as _time by processid, service, location | eval openclosed = if(location="o",-1,1) | timechart sum(openclosed)
Try like this
.. | stats earliest(_time) as _time by processid, service, location | eval openclosed = if(location="o",-1,1) | timechart sum(openclosed)
Thanks a lot somesoni2!
Have you tried ... | timechart span=15m count by openclosed
Thanks for answering sundareshr! somesoni2´s answer did the trick. 😉