Hello there,
I'm have a search that get the events atributed to "N" number of users, and I would like to compare the total amount of today's events to whe weeks median (not average). My base search looks something like this:
index=myindex earliest=-w@d
| timechart span=1d count(events) by user limit=0
Which gives me this output:
_time user1 user2 userN
"day1" 1 1 4
"day2" 2 5 2
"day3" 6 7 7
.
.
"today" 3 8 6
I'll like to compare "today" total events with the median of the week (day 1 through today) for each user, returning the users that report 50% over or under the median. I managed to do this with join, since couldn't get it done with timechart/timewrap, but the search is really slow:
index=myindex earliest=@d
| stats count(events) as today_totals by user
| join user [search index=myindex earliest=-w@d
| bucket span=1d _time | stats count by _time user
| stats median(count) as median_user
| where today_totals>(median_user/0.5) OR today_totals<(median_user*0.5)
Any way to do this without join?
Thanks
... View more