If you want to average all of those results, you would add the stats avg(count) at the end of the search: sourcetype=your_sourcetype earliest=-48h latest=-24h | bucket _time span=1h | stats count by _time | stats avg(count) If the first argument to the sort command is a number, then at most that many results are returned, in order. I know the date and time is stored in time, but I dont want to Count By time, because I only care about the date, not the time.Is there a way to get the date out of time (I tried to build a rex, but it didnt work. The missing fields are treated as having the smallest or largest possible value of that field if the order is descending or ascending, respectively. I have a search created, and want to get a count of the events returned by date. Because ascending is the default sort order, you don't need to specify it unless you want to be explicit. The sort command sorts all the results by specified fields. (change this as you see fit or remove earliest and latest) Specify different sort orders for each field This example sorts the results first by the lastname field in ascending order and then by the firstname field in descending order. Then sort on TOTAL and transpose the results back. weapon slightly better in terms of stats, but not completely unusable. To do that, transpose the results so the TOTAL field is a column instead of the row. Perhaps a better option is to reduce the number of results processed. If your admin has enabled the searchprocessmemoryusagethreshold setting then ask for the threshold to be increased. This will count the events per hour between 48 hours ago to 24 hours ago. In order to reroll an Anointment you need to visit Crazy Earls Reroll Machine. 1 Answer Sorted by: 0 You can try asking your admin to increase your disk space limit, if that's the limiting factor. As per this question sourcetype=your_sourcetype earliest=-48h latest=-24h | bucket _time span=1h | stats count by _time | sort - count
0 kommentar(er)
