Hi,
I have a question about timechart query.
Lets say I have a log line like: "I found XXX matches"
How can I query and get - number of events of "I found" and number of the same events that XXX>0 in the same timechart
(i.e total number of events with the string and the number of events that I found something (XXX>0))
Thanks for your help,
Nir
Perhaps this will get you started.
index=foo | rex "I found (?<num>\d+) matches" | stats count as Total count(eval(num>0)) as nonZero
Perhaps this will get you started.
index=foo | rex "I found (?<num>\d+) matches" | stats count as Total count(eval(num>0)) as nonZero