Hi!
Could you please help me with that special case of search?
This is my data:
User App
1. user1 appA
2. user1 appB
3. user2 appB
4. user1 appA
If I would like to get the hits per user and app by hour, i use the following
| timechart span=1h count by app
and now my question:
I would like to have the events from the last 7 days and for each app i would like the max count(per Hour) for each day
I have tried it with a second timechart after the first one and a span=1 but without success.
Thank you for your help!
Robert
@RobertRi have you experimented with the timewrap command ?
| timechart span=1h count(User) as Users by App
| timewrap 1day
Here is what it can help produce:
| makeresults
| eval _raw = "time, User, App
22-03-2020 01:00:00, user1, appA
22-03-2020 01:00:00, user1, appB
22-03-2020 01:00:00, user2, appA
22-03-2020 02:00:00, user2, appB
22-03-2020 01:00:00, user1, appA
22-03-2020 02:00:00, user1, appA
22-03-2020 02:00:00, user1, appB
22-03-2020 03:00:00, user2, appA
22-03-2020 04:00:00, user2, appB
22-03-2020 01:00:00, user1, appA
24-03-2020 01:00:00, user1, appB
24-03-2020 01:00:00, user2, appA
25-03-2020 02:00:00, user2, appB
25-03-2020 01:00:00, user1, appA
26-03-2020 01:00:00, user1, appB
27-03-2020 01:00:00, user2, appA
28-03-2020 02:00:00, user2, appB"
| multikv forceheader=1
| eval _time = strptime(time, "%d-%m-%Y %H:%M:%S")
| timechart span=1h count(User) as Users by App
| timewrap 1day
@RobertRi have you experimented with the timewrap command ?
| timechart span=1h count(User) as Users by App
| timewrap 1day
Here is what it can help produce:
| makeresults
| eval _raw = "time, User, App
22-03-2020 01:00:00, user1, appA
22-03-2020 01:00:00, user1, appB
22-03-2020 01:00:00, user2, appA
22-03-2020 02:00:00, user2, appB
22-03-2020 01:00:00, user1, appA
22-03-2020 02:00:00, user1, appA
22-03-2020 02:00:00, user1, appB
22-03-2020 03:00:00, user2, appA
22-03-2020 04:00:00, user2, appB
22-03-2020 01:00:00, user1, appA
24-03-2020 01:00:00, user1, appB
24-03-2020 01:00:00, user2, appA
25-03-2020 02:00:00, user2, appB
25-03-2020 01:00:00, user1, appA
26-03-2020 01:00:00, user1, appB
27-03-2020 01:00:00, user2, appA
28-03-2020 02:00:00, user2, appB"
| multikv forceheader=1
| eval _time = strptime(time, "%d-%m-%Y %H:%M:%S")
| timechart span=1h count(User) as Users by App
| timewrap 1day
Thank you!