How do we get event count from 2 dates. Something like this -
2/11/18 3/11/18 4/11/18
Event1 12 15 10
Event2 50 60 78
index =ind_prod...|eval abctime=strptime(abctime, "%Y-%m-%d") | search abctime>=$t.earliest$ AND abctime=$t.latest$
I tried above query, but it is not working
Assuming that your conversion of abctime
is correct (A BIG ASSUMPTION) and your other field is called Event
(a guess), try this (you were missing a <
for one thing):
index =ind_prod...
| eval abctime=strptime(abctime, "%Y-%m-%d")
| search abctime>=$t.earliest$ AND abctime<=$t.latest$
| bin _time span=1d
| eval _time = strftime(_time, "%m/%d/%Y")
| chart count BY event _time
I want count for 2 specific date, something like this :
31-Jul 24-Jul
SessionCount 100000 150000
X Count 2000 2200
Y Count 100 200
You have said that several times. Show us a few RAW EVENTS, note what fields are where inside of tohse events, and then show us a mockup of the final output that would be generated from JUST those events.
If you need 2 specific dates, then just set your Time picker
to cover that timespan.
You have not shown us what the events look like (where abctime
is).
instead of abctime we can take _time
@ataunk ,
index =ind_prod|eval date=strftime(_time,"%Y-%m-%d")|chart count over event_name by date
where event_name
is field name of your events
This will give for all the days selected in time range, I want for specific 2 date, something like this
31-Jul 24-Jul
SessionCount 100000 150000
X Count 2000 2200
Y Count 100 200