Hi,
Thanks for the answer. But when I do the stats and timechart, it won't give me any output in statistics and visualization.
Both URLs are from difference sources, but both shared the same field which is IP. that's why I am dc by IP.
My current query would be
(x_URL="xxx.com" AND APP=app AND index=index1) OR (x_URL=yyy.com AND index=index2) | eval Date=strftime(_time,"%Y-%m-%d") | stats dc(x_URL) as URL by x_IP | where URL>1
I am using OR to get both URLs from different source into the same search. and use the dc(x_URL) by x_IP and URL>1 to get the distinct IPs which has both URLs.
But I am having trouble to convert it in timechart since I don't want to know which IP has both URLs presented, I just wanted to know the daily counts.
(x_URL="xxx.com" AND APP=app AND index=index1) OR (x_URL=yyy.com AND index=index2) | eval Date=strftime(_time,"%Y-%m-%d") | stats values(x_URL) as URL by x_IP | where URL>1 | timechart span=1d dc(x_IP)
Above query would give me any output as well.
Anything I should do to modify the query to make it works?
Thanks
... View more