Yes, I'm trying to group all Fridays, Saturdays, Mondays, etc. together. I still think the search is returning the wrong results, however. Right now it is telling me that there are only two Sundays, which isn't true. The events go back to January, so there should be roughly 25 or so Sundays. Another issue is that I actually overlooked the fact that there was already a date_wday field for the reported evetns. I'm not sure if it would cause some kind of overlap issue, so I changed it to this:
base search | rex "(?<paymentAmount>\w+) days: (?<time>\d+)ms" | eval days=strftime(_time,"%A") | stats sum(paymentAmount), count BY days
No, there isn't a reason I captured the time field. Should I put something else in its place?
... View more