Sample log:
2013-11-01-10:11:34 userName=abc, download=1
2013-11-01-10:11:50 userName=abc, download=1
2013-11-01-10:30:29 userName=def, download=1
2013-11-01-11:11:34 userName=abc, download=1
2013-11-01-12:11:34 userName=xyz, download=1
What I need: find the total minutes that INDIVIDUAL user does NOT download anything over the period of time.
My approach so far:
sourcetype="someScr" download>0 | timechart span=1m count(download) by userName
What I got:
_time abc def xyz
2013-11-01-10:11:00 2 0 0
2013-11-01-10:12:00 0 0 0
2013-11-01-10:13:00 0 0 0
...
2013-11-01-10:30:00 0 1 0
2013-11-01-11:11:00 1 0 0
...
2013-11-01-12:11:00 0 0 1
The goal is to count all the 0 rows for INDIVIDUAL user from the upper table:
Sample results
abc def xyz
118 119 119
The result table shows that over 2 hours, abc doesn't download anything for 118 minutes, and 119 minutes for def and xyz.
I would like to do something like:
sourcetype="someScr" download>0 | timechart span=1m count(download) by userName | count (_time) by userName where VALUE=0
I'm stuck on the last step, that is how do I refer to the user and the field value and apply a where clause.
Or is there a better approach.
Thanks!
... View more