Hi,
I built a report that list daily maximums and averages of counts per hour on several days. (difficult to put it in phrase..)
Here is the query I use:
<search string>
| bucket _time span=1h
| stats dc(Serial) as dcSerial, dc(otherserial) as dcOtherSerial by _time
| bucket _time span=1d
| eval Processedtime=strptime(_time,"%s")
| stats max(dcSerial) avg(dcSerial) max(dcOtherSerial) avg(dcOtherSerial) by Processedtime
So this query returns maximums of distinct counts of each fields, which is good.
But what I need is to return the dcOtherSerial has when dcSerial is at the maximum during the day (because I don't care about the maximum of dcOtherSerial, I want to correlate both of them).
Is it understandable ?
any thoughts?
thanks
... View more