Hi folks,
Given: In my search I am using stats values() at some point. I am not sure, but this is making me loose track of _time and due to which I am not able to use either of timechart per_day(eval()) or count(eval()) by date_hour
Part of search:
| stats values(code) as CODES by USER
Current state:
USER CODES(Multi-value)
a 11, 12, 13
b 14, 19, 13
c 15, 12, 13
d 18, 12, 14
e 11, 14, 17
Desired: count CODES by date.
CODES COUNT
11 2
12 3
13 3
14 3
15 1
17 1
18 1
19 1
If I am not wrong, values(code) is making me loose track of _time . Is there a way to get this back?
OR
Can I group on custom timestamp obtained from logs?
| stats values(code) as CODES by USER values(timestamp) as TS
| eval TSN = mvindex(TS, 0)
Some how can I use TSN for group by date?
... View more