My search calculate the number of events of a field per hour per day.
In my chart result I only want to see the max of each day
mysearch | timechart count span=1h as nb | eval Day=strftime(_time,"%Y/%m/%d") | dedup nb | top 1 nb by Day | sort + Day | table Day nb
The result is like that
Day nb
2019-08-26 300
2019-08-27 252
2019-08-28 354
2019-08-29 458
but i would like to see the time slot in my result, like that
Day nb
2019-08-26 10:00:00 300
2019-08-27 15:00:00 252
2019-08-28 13:00:00 354
2019-08-29 11:00:00 458
How to do that ?
Thanks
Try this -
mysearch
| timechart span=1h count as nb
| eval Day=strftime(_time,"%Y/%m/%d")
| eval Hour=strftime(_time,"%H:%M")
| sort 0 Day - nb
| dedup Day
| table Day Hour nb
Thanks a lot. It's ok
Try this -
mysearch
| timechart span=1h count as nb
| eval Day=strftime(_time,"%Y/%m/%d")
| eval Hour=strftime(_time,"%H:%M")
| sort 0 Day - nb
| dedup Day
| table Day Hour nb